Identification information embedding apparatus and identification information analysis apparatus

ABSTRACT

An identification information apparatus detects first and second boundary position information representing boundary positions on a high-order bit side and a low-order bit side of codes formed of components, extracts a colluder group matching with a set of the first and second boundary position information among colluder groups including combinations of an arbitrary number of identification information which is not more than a predetermined maximum number, and detects identification information which is common to a plurality of the colluder groups.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. application Ser. No.10/351,477, filed Jan. 27, 2003, and in turn claims priority to JapanesePatent Application No. 2002-019133, filed Jan. 28, 2002, the entirecontents of each of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to an identification information embeddingapparatus which embeds a collusion-secure code indicative ofidentification information of an object in an object of, e.g., a copy ofdigital contents, and an identification information analysis apparatuswhich detects a collusion-secure code from an object and analyzesidentification information.

2. Description of the Related Art

Digital contents (for example, a still picture, a moving picture, sound,music and others) include a plurality of items of digital data. Of themany kinds of data, there are some which can maintain the identity orthe economic value of a work of the digital contents even if they arechanged to some degree. By changing data which falls in such anallowable range, various kinds of information can be embedded in thedigital contents. Such a technique is referred to as an electronicwatermark.

With the electronic watermark technique, it is possible to embed variouskinds of watermark information (for example, information to identify acopyright holder or a user of contents, information of rights of acopyright holder, conditions to utilize contents, confidentialinformation required when utilizing contents, a copy control informationand the like, combinations of such information and others) for varietyof purposes (for example, control over utilization, copyright protectionincluding copy control, promotion of secondary use and others) anddetect/use them.

Here, consideration is given as to the application of the electronicwatermark technique to embed information which individually identifies acopy (for example, watermark information uniquely corresponding to auser ID) when distributing these copies of the digital contents to manyusers.

A technique to embed (a code corresponding to) inherent identificationinformation in a copy of digital contents functions to avoid an illegalcopy of the digital contents and also serves as a post-relief whenviolation of the copyright occurs since a user who further duplicates acopy of the digital contents and runs it off as a pirate edition can bespecified by detecting identification information from the pirateedition when this pirate edition goes into circulation.

Such a user tries to interpolate the identification information whencreating the pirate edition. However, since the user does not know whichpart corresponds to bits forming (a code corresponding to) theidentification information, he/she must considerably change the copy ofthe digital contents. By doing so, since the economic merit of thedigital contents is lost, the motivation to illegally copy isdiminished.

In such a circumstance, a “collusion attack” has emerged as a methodwhich enables illegal copying.

The collusion attack utilizes the fact that different identificationinformation is embedded in each copy. For example, by this method, whena plurality of people bring copies and compare them bit by bit, a parthaving a different value of digital data (embedded identificationinformation) is found, and the identification information is changed andlost by changing only this part (for example, majority decision,minority decision, randomization and others). It is to be noted that asimilar result may be obtained in some cases by performing an operation,e.g., averaging pixel values between the contents without effecting aspecific comparison operation.

For instance, giving a simple example, it is assumed that (codescorresponding to) the following identification information are embeddedin copies of Mr./Ms. A, Mr./Ms. B and Mr./Ms. C, respectively:

A: 00 . . . 00 . . .

B: 00 . . . 11 . . .

C: 11 . . . 00 . . .

When the part of the identification information is detected, this partcan be changed into, e.g., (a code corresponding to) the followingidentification information which is different from that of each ofMr./Ms. A, Mr./Ms. B and Mr./Ms. C:

10 . . . 01 . . .

Therefore, there have been proposed various kinds of method which embeda code having a resistance to a collusion attack, i.e., a propertycapable of specifying a part or all of colluders even if under thecollusion attack (which will be referred to as a collusion-secure codehereinafter) as an electronic watermark and a tracing algorithm based onthe collusion-secure code (algorithm used to specify an identificationnumber embedded in contents used for a collusion attack and specify userIDs of the colluders). For example, there is (1) Dan Boneh and JamesShaw, “Collusion-Secure Fingerprinting for Digital Data,” CRYPTO '95,452-465, 1995 or (2) Hirofumi Muratani, “A Collusion-SecureFingerprinting Code Reduced by Chinese Remaindering and Its Random-ErrorResilience”, Information Hiding Workshop 2001, 303-315, 2001.

The collusion-secure code disclosed in the cited reference (1) isdefined as a code that there is a tracing algorithm which outputs atleast one collusion ID belonging to C with respect to an arbitrarycollusion C which is |C|≦c (c is the maximum number of collusions, i.e.,a total number of colluders). In order to further strengthen theresistance to the collusion attack, namely, further increase the upperlimit number of the number of collusions which disables specification ofcolluders, a code length to be embedded in the contents must beincreased. On the other hand, since there is a limit in a code length tobe embedded in contents, an upper limit is provided in the number ofcopies utilized for collusion attack in order to reduce a code length inthis kind of collusion-secure code and the tracing algorithm based onthis collusion-secure code. If the collusion attack is carried out usingcopies whose number exceeds an allowed number, there may occur anerroneous judgment that an identification number of a copy which doesnot concern the collusion attack is erroneously output as anidentification number of a copy which has concerned the collusion attackand a person who is not a colluder is specified as a colluder.

In order to lower the probability of the erroneous judgment, the numberof copies which are realistically likely to be prepared by colluders isassumed, a collusion-secure code must be designed in such a manner thatan allowed number exceeds that number, and a large allowable number mustbe absolutely set, which leads to a large code length.

An attempt to decrease the code length is the cited reference (2). Thiscode is a code with which reduction in code length is considerable whena total number of sets of identification information or a collusion sizeis large. This code has a structure of a “concatenated code” utilizing“Chinese Remainder Theorem” and allows a tracing error in not only an“inner code” but also an “outer code”. In order to estimate a tracingerror rate in an outer code, as a new “marking assumption,” it isassumed that “respective residues forming a set of residue pairsobtained by decoding the inner code relative to a code word created by acollusion can be treated as random variables which take a value withprobabilities in conformity with an independent and uniformdistribution.” The number of inner codes is determined in such a mannerthat a probability that a person who is not a colluder is accidentallyregarded as a colluder with respect to a residue pair obtained from apredetermined number or more of the inner codes.

However, a problem in the cited reference (2) is that a reasonableground is not provided to this assumption and the outer code formed bythe stochastic argument based on this requires many inner codes withrespect to a small c. Therefore, the number d of the inner codes cannotbe suppressed relative to a small c, and the number of tracing errorswith respect to the outer codes cannot be zero.

BRIEF SUMMARY OF THE INVENTION

Accordingly, the present invention is directed to method and apparatusthat substantially obviates one or more of the above problems due tolimitations and disadvantages of the related art.

According to an embodiment of the present invention, an apparatus whichanalyzes identification information of an object based on data extractedfrom the object, comprises a colluder group extraction unit whichextracts a colluder group having a predetermined relationship with thedata among colluder groups including combinations of an arbitrary numberof identification information which is not more than a predeterminedmaximum number.

According to another embodiment of the present invention, anidentification information embedding apparatus comprises a codegenerator which generates a collusion-secure code corresponding toidentification information, a restriction being provided between amaximum number of colluders defined by a tracing algorithm, the numberof components forming the code, and a range of the identificationinformation; and an embedding circuit which embeds the generated code inan object.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

FIG. 1 is a view showing a schematic structure of a contentsdistribution system including an electronic watermark embeddingapparatus and an electronic watermark analysis apparatus according to anembodiment of the present invention;

FIG. 2 is a view showing a structural example of the electronicwatermark embedding apparatus according to the embodiment;

FIG. 3 is a view showing a structural example of the electronicwatermark analysis apparatus according to the embodiment;

FIG. 4 is a flowchart showing an example of schematic procedures of theelectronic watermark embedding apparatus according to the embodiment;

FIG. 5 is a view showing a structural example of a code generator of theelectronic watermark embedding apparatus according to the embodiment;

FIG. 6 is a view showing a structural example of a component codegenerator of the code generator according to the embodiment;

FIG. 7 is a view illustrating an example of a component code generatedby the electronic watermark embedding apparatus according to theembodiment;

FIG. 8 is a view illustrating an example of an integer set formed of aplurality of integers corresponding to each user ID in the embodiment;

FIG. 9 is a view illustrating an example of a collusion-secure codecorresponding to each user ID in the embodiment;

FIGS. 10A, 10B, 10C, and 10D are views illustrating a position of aboundary concerning a bit pattern in each component code in theembodiment;

FIG. 11 is a view showing a structural example of a decoding device ofthe electronic watermark analysis apparatus according to the embodiment;

FIG. 12 is a view showing a structural example of an inner code decodingdevice of a decoding device according to the embodiment;

FIG. 13 is a view for illustrating processing of a code divider of theinner code decoding device according to the embodiment;

FIG. 14 is a view showing a structural example of a residue pairdetector of the inner code decoding device according to the embodiment;

FIG. 15 is a view showing a structural example of an outer code decodingdevice of the decoding device according to the embodiment;

FIG. 16 is a view illustrating a tracing algorithm according to theembodiment;

FIGS. 17A and 17B are views for illustrating the tracing algorithmaccording to the embodiment;

FIGS. 18A and 18B are views illustrating the tracing algorithm accordingto the embodiment;

FIGS. 19A, 19B, and 19C are views illustrating a tracing algorithmconcerning the embodiment;

FIG. 20 is a flowchart showing an example of a tracing algorithm of theouter code decoding device of the decoding device according to theembodiment;

FIG. 21 is a flowchart showing an example of a processing procedure atstep S1 illustrated in FIG. 20;

FIG. 22 is a flowchart showing another example of the tracing algorithmof the outer code decoding device of the decoding device according tothe embodiment;

FIG. 23 is a flowchart showing an example of a processing procedure atstep S21 illustrated in FIG. 22;

FIG. 24 is a flowchart showing an example of a processing procedure atstep S22 illustrated in FIG. 22;

FIG. 25 is a flowchart showing a first half of still another example ofthe tracing algorithm of the outer code decoding device of the decodingdevice according to the embodiment;

FIG. 26 is a flowchart showing a last half of still another example ofthe tracing algorithm of the outer CODE decoding device of the decodingdevice according to the embodiment;

FIG. 27 is a view illustrating exchange of residues;

FIG. 28 is a view illustrating a case of r=c=3;

FIG. 29 is a view showing a structural example of an electronicwatermark embedding apparatus relative to a chemical compound accordingto a second embodiment;

FIG. 30 is a view showing another structural example of the electronicwatermark embedding apparatus relative to the chemical compoundaccording to the second embodiment; and

FIG. 31 is a view showing a still another structural example of theelectronic watermark analysis apparatus relative to the chemicalcompound according to the second embodiment.

DETAILED DESCRIPTION OF THE INVENTION

An embodiment of an identification information embedding apparatus andan identification information analysis apparatus according to thepresent invention will now be described with reference to theaccompanying drawings.

First Embodiment

As an application of an electronic watermark, description will be givenas to a case where identification information which differs inaccordance with each copy is embedded as watermark information in eachof the copies (for example, a still picture, a moving picture, sound,music and others) of the same digital contents and identificationinformation of colluders is traced. It is to be noted that descriptionwill be mainly given as to a case where a user identificationinformation (user ID) of a user corresponding to the copy, namely, auser who utilizes the copy (for example, a user who delivers or lendsthe copy with a recording medium or a communication medium being used asa medium) is used as identification information hereinafter butinformation having the user ID subjected to a predetermined change maybe used as identification information, or information other than theuser ID or information obtained by conversion from such information maybe used as identification information. It is to be noted thatinformation such as a date and an hour of utilization or a place ofutilization and others may be included in the user ID.

Of course, many other various kinds of watermark information (forexample, information concerning a copyright of contents, informationconcerning rights such as a copyright, information concerningutilization conditions of contents, confidential information requiredfor this utilization, copy control information and others, orcombinations of such information) may be embedded in copies of digitalcontents and detected, but a structure of a part concerning any otherwater mark information is arbitrary when using such watermarkinformation.

The following structural view can be also achieved as a function blockdiagram of the apparatus, and a function module view or a procedure viewof the software (program).

FIG. 1 shows a conceptual view of a digital contents distribution systemincluding an electronic watermark embedding apparatus and an electronicwatermark analysis apparatus according to an embodiment of the presentinvention.

The electronic watermark embedding apparatus 1 and the electronicwatermark analysis apparatus 2 are included in, e.g., a contentsprovider system and managed thereby.

Alternatively, the electronic watermark embedding apparatus 1 may beprovided in a user system (for example, a user system used to utilizecontents (for example, connected to or incorporated in a computer systemor a dedicated device or the like)), and the electronic watermarkanalysis apparatus 2 may be provided in a contents provider system.

Watermark information is embedded in a copy of digital contents beforetransferring the copy to a user in the former case, and it is embeddedbefore the copy is used by a user in the latter case.

A method of embedding desired watermark data in digital contents in theelectronic watermark embedding apparatus 1 or a method of taking out thewatermark data itself from the digital contents in the electronicwatermark analysis apparatus 2 may be any method.

The electronic watermark embedding apparatus 1 can be realized assoftware (program) as well as hardware. Likewise, the electronicwatermark analysis apparatus 2 can be realized as software (program) aswell as hardware. In addition, when the electronic watermark embeddingapparatus 1 and the electronic watermark analysis apparatus 2 are usedin the contents provider system, they can be integrated and realized.

FIG. 2 shows a structural example of the electronic watermark embeddingapparatus 1. The electronic watermark embedding apparatus 1 includes acode generating device 11 which generates a collusion-secure codecorresponding to identification information (for example, a user ID) tobe embedded, and a code embedding device 12 which embeds the generatedcollusion-secure code (embedded code) in target contents.

Upon receiving target contents and identification information (forexample, a user ID of a target user) to be embedded in this targetcontents, the electronic watermark embedding apparatus 1 generates thecollusion-secure code corresponding to the identification information,and outputs the collusion-secure code embedded contents as a copy (forexample, a copy for a user of that user ID) corresponding to theidentification information. In case of utilizing any other watermarkinformation, any other watermark information is embedded according toneeds at that time.

Incidentally, for example, when the identification information is notequal to the user ID and the user ID is given, pre-processing such asconversion of the given user ID into the identification information iscarried out.

Each copy of contents corresponding to the identification informationobtained by the electronic watermark embedding apparatus 1 isdistributed through a distribution path 3 with a recording medium or acommunication medium being used as a medium. A collusion attack using aplurality of copies is carried out in this distribution path 3.

FIG. 3 shows a structural example of the electronic watermark analysisapparatus 2.

As shown in FIG. 3, the electronic watermark analysis apparatus 2includes a code extraction device 21 and a decoding device 22.

The code extraction device 21 extracts an embedded code from a copy ofcontents as a detection target. Irrespective of presence/absence of acollusion attack, the code is extracted on the assumption that thecollusion-secure code in case of no collusion attack is embedded. Infact, not only the embedded collusion-secure code is extracted, but thecode changed under the collusion attack may be extracted in some cases.

The decoding device 22 specifies (or presumes) that there has been nocollusion attack, or one or a plurality of sets of identificationinformation (for example, a user ID) corresponding to a collusion-securecode embedded in a copy which is considered to be used in a collusionattack by executing the later-described tracing algorithm with respectto the extracted code. The specified (assumed) user ID is a result oftracing.

Incidentally, for example, when the identification information is notequal to the user ID and the user ID must be obtained, thepost-processing such as conversion of the specified identificationinformation into the user ID is carried out.

The electronic watermark embedding apparatus 1 will now be described indetail hereinafter.

Here, description will be given as to a case where the identificationinformation is equal to the user ID. Therefore, when description isgiven as to the case where the identification information is equal tothe user ID, the user ID generally means the identification information.

FIG. 4 shows an example of schematic procedures.

A code generating device 11 obtains M (M is a plural number) integersA(1), A(2), . . . A(M) corresponding to the identification information(namely, the user IDs in this example) to be embedded in a target copy(step S101). There is a method of previously obtaining and storing the Mintegers and a method of obtaining them when necessary.

There are various methods of obtaining the integers A(1), A(2), . . .A(M).

For example, each integer A(1) in each i (i=1 to M) may take any valueof 0 to N(1)-1. Here, for example, in this embodiment in which theseintegers are predetermined positive integers which are different fromeach other, it is desirable that N(1), N(2), . . . N(M) are relativelyprime integers. It is to be noted that N(1)<N(2)< . . . <N(M) may beset.

At this moment, there is a method of randomly allocating a value in arange of 0 to N(1)−1 to each of the M integers A(1) corresponding to theuser IDs and a method of allocating a value in a range of 0 to N(1)−1 toeach of them in accordance with a definite rule. Further, in both cases,for each user ID, there are a method of exclusively allocating a set ofthe M integers in such a manner that at least one of A(1), A(2), . . .A(M) is different and a method of allowing redundant allocation of a setof the M integers that A(1), A(2), . . . A(M) are all the same to aplurality of the user IDs. In this embodiment, it is desirable to enablespecification of the unique identification information from the set ofthe M integers by adopting the former method.

As the method of exclusively allocating values, for example, there is amethod by which some integers in a range of 0 to N(1)×N(2)× . . .×N(M)−1 are used as values of the user IDs, and a remainder obtained bydividing a target user ID by N(1) with respect to each of the M integersA(1) is determined as a value of A(1) corresponding to the user ID. Inthis embodiment, it is desirable that the M figures N(1), N(2), . . .N(M) are relatively prime integers. It is to be noted that N(1) <N(2)< .. . <N(M) is set. It is to be noted that a set of the M integerscorresponding to the identification information (=V) in this case{A(1)=V mod N(1), A(2)=V mod N(2), . . . A(M)=V mod N(M)} corresponds toa set of the reference residues {r⁽⁰⁾ ₁, r⁽⁰⁾ ₂, . . . r⁽⁰⁾ _(M)} whichwill be described later in detail. Further, in this case, as will bedescribed later in detail, it is preferable to provide a definiterestriction between an assumed maximum number of colluders c, the numberM of the integers (=the number of component codes) and a range of theidentification to be used (for example, serial numbers starting from 0).

Incidentally, instead of the above, for example, the identificationinformation is not equal to the user ID, there is also a method by whichpredetermined conversion such that the user ID is subjected topredetermined conversion and thereby the converted value is equal to theidentification information becomes an integer in a range to be used from0 to N(1)×N(2) × . . . ×N(M)−1 is prepared, and a remainder obtained bydividing the identification information as a result of applying thepredetermined conversion to the target user ID by N(i) is determined asa value of A(i) corresponding to the identification informationcorresponding to the user ID. In this case, since the identificationinformation corresponding to the user ID is first obtained in thedecoding device 22, the reverse conversion of the predeterminedconversion is applied to the obtained identification information in thedecoding device 22 or the like if the user ID must be acquired, therebyobtaining the corresponding user ID.

Furthermore, here, although description is given as to the example inwhich a code corresponding to the user ID is embedded, for example,information indicative of the correspondence with information (forexample, a user name or a user ID and the like) used to specify a copyID of a copy of contents and its user may be recorded in a predeterminedstorage device, it is determined that the identification information isequal to the copy ID, and a code corresponding to the copy ID accordingto the user ID of that user may be embedded in the copy of the contents.In this case, since the copy ID corresponding to the user ID is obtainedin the decoding device 22, a corresponding user ID is obtained from theacquired copy ID in the decoding device 22 and the like if the user IDmust be obtained.

Moreover, for example, when a code corresponding to the copy IDaccording to the user ID is embedded as described above and when theidentification information is not equal to the copy ID, there is amethod of determining a remainder obtained by dividing theidentification information which is a result of applying thepredetermined conversion to the copy ID corresponding to the user ID byN(i) as a value of A(i) corresponding to the identification informationwhich corresponds to the copy ID according to the user ID. In this case,since the identification information is first obtained in the decodingdevice 22, the reverse conversion of the predetermined conversion isapplied to the obtained identification information in the decodingdevice 22 and the like and the corresponding copy ID is obtained,thereby acquiring the user ID from the copy ID.

Then, the code generating device 11 generates a collusion-secure codecorresponding to the user ID from the M integers A(1), A(2), . . . A(M)corresponding to the user ID (identification information) to be embeddedin the target copy (step S102). There are a method of previouslygenerating and storing the collusion-secure code corresponding to eachuser ID and a method of generating it when necessary.

The collusion-secure code corresponding to each user ID is generated byobtaining component codes W(1), W(2), . . . W(M) with respect to each ofthe M integers A(1), A(2), A(M) corresponding to the user ID andcombining (connecting) them.

As the component code W(i) corresponding to the integer A(i), it ispossible to use, for example, Γ₀(n, d) code (which is obtained bydetermining continuous d bits formed of only 1 or 0 as one unit B(j) andconcatenating B(0) to B(n−2); where B(0) to B(n−2) consist of all 0 orall 1, or B(0) to B(m−1) consist of only 1 and B(m) to B(n−2) consist ofonly 1.

For example, giving a simple example of a method by which a remainderobtained by dividing a target user ID by N(i) is determined as a valueof the integer A(i) corresponding to the user ID when the user ID isselected from integers in a predetermined range from 0 to N(1)×N(2)× . .. ×N(M)−1, assuming that n=5 and d=3 in case of N(1)=5, and the codeΓ₀(5, 3) is as follows:

when A(1)=0: W(1)=111 111 111 111

when A(1)=1: W(1)=000 111 111 111

when A(1)=2: W(1)=000 000 111 111

when A(1)=3: W(1)=000 000 000 111

when A(1)=4: W(1)=000 000 000 000

The collusion-secure code can be generated by concatenating thecomponent codes W(i) corresponding to the thus obtained respective A(i).

As to this code, 1 and 0 are arranged so as to be continuous in units ofd bits, and 1 or 0 whose number is less than d bits does notindependently exist. In the above example, it can be understood that 1or 0 whose number is less than 3 bits does not independently exist.Therefore, if 1 or 0 whose number is less than d bits independentlyexists, it can be assumed that the collusion attack has been carriedout. If 1 or 0 whose number is less than d bits does not independentlyexist, it can be assumed that there has been no collusion attack.

The thus generated collusion-secure code is embedded in the targetcontents by the code embedding device 12 of the electronic watermarkembedding apparatus 1 (step S103). As described above, the method ofembedding the generated collusion-secure code in target contents is notrestricted to a particular method, and the present invention can beapplied to any method.

FIG. 5 shows a structural example of the code generating device 11.

This code generating device 11 comprises k′(=M) modulus storages 121-1,121-2, . . . 121-k′, k′ residue calculators 122-1, 122-2, . . . 122-k′,k′ component code generators 124-1, 124-2, . . . 124-k′, a codeparameter storage 123, and a code concatenation circuit 125.

Predetermined positive integers different from each other, e.g.,positive integers p_(i)(=N(i)) (i=1, 2, . . . k′) which are relativelyprime integers are stored in the modulus storages 121-1, 121-2, . . .121-k′, and these integers p_(i) are supplied to the residue calculators122-1, 122-2, . . . 122-k′ as modulo. The residue calculators 122-1,122-2, . . . 122-k′ obtain residues u_(i)=u mod p_(i)(i=1, 2, . . . k′)having integers p_(i) as modulo with respect to the input user ID=u.That is, as a set of a plurality of integral elements corresponding tothe input user IDs (={A(1), A(2), . . . A(M)}), the residues u_(i)=u modp_(i)(i=1, 2, . . . k′) are calculated by the residue calculators 122-1,122-2, . . . 122-k′.

The component code generators 124-1, 124-2, . . . 124-k′ respectivelygenerate a component code Γ₀(p_(i), t) comprising the Γ₀(n, d) codeindicative of the residues u_(i)(i=1, 2, . . . k′) obtained by theresidue calculators 122-1, 122-2, . . . 122-k′ in accordance with thecode parameter t stored in the code parameter storage 123.

The code concatenation circuit 125 generates the collusion-secure codewhich is watermark information by concatenating the respective componentcodes Γ₀(p_(i), t) generated by the component code generators 124-1,124-2, . . . 124-k′.

FIG. 6 shows a structure of one generator 124-i of the component codegenerators 124-1, 124-2, . . . 124-k′. Assuming that the code parameteris t, the residue is u_(i) and the modulus is p_(i), a subtracter 131calculates p_(i)−u_(i)−1. A “0” series generator 132 generates acontinuous “0” series formed of t×u_(i) bits based on the code parametert and the residue u_(i), and a “1” series generator 133 generates acontinuous “1” series formed of t×(p_(i)−u_(i)−1) bits based on the codeparameter t and an output p_(i)−u_(i)−1 from the subtracter 131. Then,the “0” series and the “1” series are concatenated by the concatenationcircuit 134, and the bit string formed of t×(p_(i)1) bits is generatedas a component code Γ₀(p_(i), t) formed of the Γ₀(n, d) code.

FIG. 7 shows an example of a component code (component code before beingunder the collusion attack) of the thus generated collusion-secure code.Component codes formed of the “0” series and the “1” series of B(0), . .. B(n−2) are allocated in accordance with n user IDs (identificationinformation) from 0 to n−1.

Here, the above-described code generation method will now be describedbased on a simple example in which small values are used.

At first, it is determined that the number M of the integers is 3,N(1)=3, N(2)=5, and N(3)=7. In this case, A(1) is any of 0 to 2, A(2) isany of 0 to 4, and A(3) is any of 0 to 6.

Then, since N(1)×N(2)×(N(3)−1)=104, all or a part of the range of 0 to104 is used as the user ID (identification information). Here, 0 to 14in this range is used as the user ID.

For example, in case of the user ID=7, the following is achieved:

A(1)=7 mod N(1)=7 mod 3=1,

A(2)=7 mod N(2)=7 mod 5=2,

A(3)=7 mod N(3)=7 mod 7=0.

FIG. 8 shows A(1), A(2), and A(3) obtained with respect to eachidentification information (user IDs=0 to 14) in this example.

Then, a component code W1 corresponding to each of A(1)=0, A(1)=1, andA(1)=2 when d=3 in the Γ₀(n, d) code is as follows (it is to be notedthat 0 or 1 is written in units of 3 bits for better understanding):

A(1)=0: W1=111 111

A(1)=1: W1=000 111

A(1)=2: W1=000 000

Further, likewise, a component code W2 corresponding to each of A(2)=0,A(1)=1, A(2)=2, A(2)=3, and A(2)=4 is as follows:

A(2)=0: W2=111 111 111 111

A(2)=1: W2=000 111 111 111

A(2)=2: W2=000 000 111 111

A(2)=3: W2=000 000 000 111

A(2)=4: W2=000 000 000 000

Furthermore, likewise, each component code W2 corresponding to each ofA(3)=0, A(3)=1, A(3)=2, A(3)=3, A(3)=4, A(3)=5, and A(3)=6 is asfollows:

A(3)=0: W3=111 111 111 111 111 111

A(3)=1: W3=000 111 111 111 111 111

A(3)=2: W3=000 000 111 111 111 111

A(3)=3: W3=000 000 000 111 111 111

A(3)=4: W3=000 000 000 000 111 111

A(3)=5: W3=000 000 000 000 000 111

A(3)=6: W3=000 000 000 000 000 000

Therefore, for example, if the user ID=7, since A(1)=1, A(2)=2, andA(3)=0, the following can be achieved:

W1=000 111

W2=000 000 111 111

W3=111 111 111 111 111 111

The collusion-secure code corresponding to the user ID=7 is as followsby concatenating these codes (it is to be noted that the code is dividedand written at boundaries corresponding to W1 to W3 for betterunderstanding):

000111 000000111111 111111111111111111

FIG. 9 shows the collusion-secure code (W(1)+W(2)+W(3)) obtained withrespect to each identification information (user ID=0 to 14) in thisexample.

The electronic watermark analysis apparatus 2 will now be described indetail hereinafter.

Here, the collusion attack will be explained by utilizing the aboveexample.

For example, the following code is embedded as a collusion-secure codein contents obtained by a user having the user ID=2 (see FIGS. 8 and 9):

000000 000000111111 000000111111111111

Furthermore, for example, the following code is embedded as acollusion-secure code in contents obtained by a user having the userID=3 (see FIGS. 8 and 9):

111111 000000000111 000000000111111111

In this case, comparing the contents brought by the user having the userID=2 and the user having the user ID=3, it can be understood that thefirst to sixth bits, the 13th to 15th bits and the 25th to 27th bits inthe 36 bits are different. Thus, since it can be understood that they apart of (collusion-secure code corresponding to) the identificationinformation, some of the first to sixth bits, the 13th to 15th bits andthe 25th to 27th bits are changed and, for example, the following changeis applied:

010101 000000010111 000000101111111111

Similarly, for example, the user having the user ID=7 and the userhaving the user ID=8 apply the following change:

000010 000000101111 010111111111111111

Moreover, likewise, for example, four users having the user IDs=3, 4, 5,and 6 apply the following change:

010101 010101010101 000000000010101010

As described above, in the electronic watermark analysis apparatus 2according to this embodiment, a code extraction device 21 extracts anembedded code (an embedded collusion-secure code or a code changed bythe collusion attack) from a copy of contents as a detection target.

Then, the decoding device 22 executes a tracing algorithm with respectto the extracted code.

Here, the outline of the tracing algorithm will now be described.

Description will be first given as to a residue pair and a referenceresidue.

As shown in FIG. 10A, positions of both ends of the component code and aposition at a boundary of adjacent elements B(e−1) and B(e) aredigitalized and expressed in accordance with each of the component codes(three component codes in the above example) of the extracted code (agenerated collusion-secure code or a collusion-secure code which hasbeen under the collusion attack). That is, assuming that the number ofelements B(j) of the i-th component code W(i) is N(i)−1 and N(i) isrepresented by N in FIG. 10A, a position of the element B(0) at the leftend is expressed as 0; a position at a boundary of the elements B(e−1)and B(e), e; a position of the element B(N−2) at the right end, N−1.

Then, a boundary between an element B(s1−1) formed of only 0 and anelement B(s1) including at least one 1 which appear when seeing the i-thcomponent code W(i) detected from the contents from the bit at the leftend is obtained, and a value s1 indicative of the position correspondingto the boundary is represented as r⁽⁻⁾ _(i). On the other hand, aboundary between an element B(s2) formed of only 1 and an elementB(s2−1) including at least one 0 which appear when seeing the same fromthe bit at the right end is obtained, and a value s2 indicative of theposition corresponding the boundary is represented as r⁽⁺⁾ _(i).

For example, in the example of the code illustrated in FIG. 10B, r⁽⁻⁾_(i)=2 and r⁽⁺⁾ _(i)=4 can be obtained.

Incidentally, when the i-th component code W(i) comprises only 0, r⁽⁻⁾_(i)=r⁽⁺⁾ _(i)=N(i)−1 is obtained.

In addition, when the i-th component code W(i) comprises only 1, r⁽⁻⁾_(i)=r⁽⁺⁾ _(i)=0 is obtained.

Additionally, when there is no boundary between the element B(s1−1)formed of only 0 and the element B(s1) including 1, r⁽⁻⁾ _(i)=0 isobtained.

Further, when there is no boundary between the element B(s2) formed ofonly 1 and the element B(s2−1) including 0, r⁽⁺⁾ _(i)=N(1)−1 isobtained.

In this manner, a pair of position information

r⁽⁻⁾ _(i) and r⁽⁺⁾ _(i) can be obtained from one component code W(i).This pair of r⁽⁻⁾ _(i)and r⁽⁺⁾ _(i) is referred to as a residue pair. Itis to be noted that a set of all residue pairs r⁽⁻⁾ _(i), r⁽⁺⁾ _(i),r⁽⁻⁾ ₂, r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M), and r⁽⁺⁾ _(M) obtained from all thecomponent codes W(i) will be also referred to as a residue-pairrepresentation hereinafter.

It is to be noted that since there is no element of the component codein which both 0 and 1 exist in the collusion-secure code itselfgenerated from the identification information (determined as=V),considering a representation corresponding to the residue pair, r⁽⁻⁾_(i)=r⁽⁺⁾ _(i)=V mod N(i) can be constantly obtained. For instance, inthe example of the code illustrated in FIG. 10C, r⁽⁻⁾ _(i)=2 and r⁽⁺⁾_(i)=2 can be obtained. Furthermore, for instance, in the example of thecode shown in FIG. 10D, r⁽⁻⁾ _(i)=4 and r⁽⁺⁾ _(i)=4 can be obtained.

The original boundary positional information (value indicative of aboundary position of a block formed of 0 and a block formed of 1(however, a position at the left end when the component code comprisesonly 1, and a position at the right end when the component codecomprises only 0)) in each component code (W(i)) in the collusion-securecode itself generated from the identification information, namely, aresidue which can be a reference (r⁽⁻⁾ _(i=r) ⁽⁺⁾ _(i)=V mod N(i)) willbe referred to as a reference residue and expressed as r⁽⁰⁾ _(i)hereinafter. It is to be noted that a set of all reference residues r⁽⁰⁾₁, r⁽⁰⁾ ₂, . . . r⁽⁰⁾ _(M) obtained from all the component codes W(i)will be referred to as a reference residue representation hereinafter.

Meanwhile, in the tracing algorithm, when each component code of thedetected code is examined and there is detected a component code havinga block in which 1 or 0 whose number is less than a predetermined d(3 inthe above example) bits independently exists, it can be determined thatthere has been a collusion attack. Further, assuming that the collusionnumber (the number of colluders) is not more than a predeterminedallowable number c, one or a plurality of user IDs (identificationinformation) corresponding to the collusion-secure code which isconsidered to be embedded in a copy used in the collusion attack can beobtained based on a set of all the residue pairs, namely, theresidue-pair representation (r⁽⁻⁾ _(i), r⁽⁺⁾ _(i)(i=1 to M)) obtainedfrom all the component codes W(i), and they can be specified as user IDsof colluders who have performed the collusion attack.

As to the component code M(i) corresponding to each A(i), differentparts obtained from a plurality of copies can be necessarily obtained ascontinuous elements B because of the property of the code as apparentfrom comparison of the codes shown in the above example, namely, thefollowing codes:

A(3)=0: W3=111 111 111 111 111 111

A(3)=1: W3=000 111 111 111 111 111

A(3)=2: W3=000 000 111 111 111 111

A(3)=3: W3=000 000 000 111 111 111

A(3)=4: W3=000 000 000 000 111 111

A(3)=5: W3=000 000 000 000 000 111

A(3)=6: W3=000 000 000 000 000 000

Therefore, both 0 and 1 exist in the continuous part by a change due tothe collusion attack.

Moreover, in a given component code (i), it can be understood that aposition of the left end and a position of the right end of thecontinuous part (block) in which 1 or 0 whose number is less than d bitsindependently exists, namely, r⁽⁻⁾ _(i) and r⁽⁺⁾ _(i) necessarilycorrespond to a position of a partition between 0 and 1 of the componentcode of the collusion-secure code embedded in any of a plurality ofcopies used in the collusion attack (a position of the component code atthe left end when the component code comprises all 1, and a position ofthe component code at the right end when a component code comprises all0), i.e., r⁽⁻⁾ _(i)=r⁽⁺⁾ _(i). Such information is obtained inaccordance with each component code W(i). By analyzing such informationr⁽⁻⁾ ₁, r⁽⁺⁾ ₁, r⁽⁻⁾ ₂, r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M), and r⁽⁺⁾ _(M), the userID corresponding to the collusion-secure code considered to be embeddedin the copy used in the collusion attack can be specified as a user IDof a colluder who has performed the collusion attack.

As a simple example, in the collusion attack by two users, in eachcomponent code, r⁽⁻⁾ _(i) corresponds to r⁽⁻⁾ _(i)=r⁽⁺⁾ _(i) of the codeembedded in the copy that one of the two users has, and r⁽⁺⁾ _(i)corresponds to r⁽⁻⁾ _(i)=r⁽⁺⁾ _(i) of the code embedded in the copy thatthe other user has. The correspondence of one code and the other codecan differ in accordance with each component code. If there is such acollusion-secure code which has one selected from r⁽⁻⁾ ₁ and r⁽⁺⁾ ₁, oneselected from r⁽⁻⁾ ₂ and r⁽⁺⁾ ₂, . . . one selected from r⁽⁻⁾ _(M) andr⁽⁺⁾ _(M) as a position of the partition between 0 and 1 of eachcomponent code, that is a solution to be obtained, and the user IDcorresponding to the collusion-secure code represents a colluder.

For example, as shown in the examples of FIGS. 8 and 9, the followingcode is embedded as the collusion-secure code in the contents obtainedby the user having the user ID=2:

000000 000000111111 000000111111111111

The following code is embedded as the collusion-secure code in thecontents obtained by the user having the user ID=3:

111111 000000000111 000000000111111111

These two users perform the collusion attack and change thecollusion-secure code as follows:

010101 000000010111 000000101111111111

In this case, the following can be obtained in this changed code:

r⁽⁻⁾ ₁=0, r⁽⁺⁾ ₁=2

r⁽⁻⁾ ₂=2, r⁽⁺⁾ ₂=3

r⁽⁻⁾ ₃=2, r⁽⁺⁾ ₃=3

Referring to FIG. 8 or FIG. 9, since the user ID=2 satisfies r⁽⁺⁾ ₁=2,r⁽⁻⁾ ₂=2 and r⁽⁻⁾ ₃=2 and the user ID=3 satisfies r⁽⁻⁾ ₁=0, r⁽⁺⁾ ₂=3 andr⁽⁺⁾ ₃=3, it is possible to pin down that the collusion attack has beenperformed by the user ID=2 and the user ID=3 and the codes used in thecollusion attack are the following codes:

000000 000000111111 000000111111111111; and

111111 000000000111 000000000111111111

Meanwhile, since the residue pair r⁽⁻⁾ _(i) and r⁽⁺⁾ _(i) (r⁽⁻⁾ _(i) isnot equal to r⁽⁺⁾ _(i)) in a given component code W(i) after thecollusion attack is determined by the boundary position in the componentcode W(i) corresponding to the user IDs of the two users even if threeor more users have performed the collusion attack, the boundary positionin the component code W(i) of the user ID which has the boundary at aposition other than r⁽⁻⁾ _(i) and r⁽⁺⁾ _(i) does not appear in theresidue pair r⁽⁻⁾ _(i) and r⁽⁺⁾ _(i) obtained from the code detectedfrom the target contents. Therefore, in the collusion attack by three ormore users, all the boundary positions r⁽⁻⁾ _(i)=r⁽⁺⁾ _(i) (namely, thereference residue r⁽⁰⁾ _(i)) that all the component codes originallyhave cannot be obtained with respect to the collusion-secure codeembedded in a given copy used in the collusion attack in some cases.However, on the other hand, with respect to the collusion-secure codeembedded in a given copy, it is expected that the original boundaryposition r⁽⁻⁾ _(i)=r⁽⁺⁾ _(i) is obtained with respect to many componentcodes. Therefore, even if the user IDs of all the colluders cannot bespecified by appropriately combining r⁽⁻⁾ ₁, r⁽⁻⁾ ₂, . . . r⁽⁻⁾ _(M),r⁽⁺⁾ ₁, r⁽⁺⁾ ₂, . . . r⁽⁺⁾ _(M) obtained from the code detected from thetarget contents and performing verification, the user IDs of some of thecolluders can be specified.

This is the basic idea of the stochastic tracing algorithm.

Meanwhile, if some residues selected from r⁽⁻⁾ ₁, r⁽⁻⁾ ₂, . . . r⁽⁻⁾_(M), r⁽⁺⁾ ₁, r⁽⁺⁾ ₂, . . . r⁽⁺⁾ _(M) indicate a given user ID (if someselected residues indicate a part of the reference residuerepresentation with respect to the identification informationcorresponding to a given user ID), the prior art tracing algorithmoutputs it as a user ID of a colluder. However, if some selectedresidues do not actually belong to only one user but belong to aplurality of users, a user ID of a user who is not a colluder isaccidentally output. Thus, in order to suppress the probability of suchan erroneous detection, the number M of the component codes must beincreased and used, and a code length is disadvantageously increased.

The prior art performs the stochastic tracing that tracing is correctlycarried out with a given probability, whereas this embodiment enablesthe secured tracing instead of the stochastic tracing as to decoding ofat least an outer code by contriving decoding processing of the outercode in the tracing algorithm by the decoding device 22 in theelectronic watermark analysis apparatus 2, and enables reduction in thecode length as compared with the prior art (reduction in the number M ofthe component codes).

The decoding device 22 of the electronic watermark analysis apparatus 2according to this embodiment will now be described in detailhereinafter.

It is to be noted that, as described above, description will be given asto a case where the identification information is equal to the user IDhere.

The component code is also referred to as an inner code and obtained byencoding each residue pair. The residue-pair representation is alsoreferred to as an outer code and obtained by encoding the identificationinformation or information concerning one or more sets of identificationinformation included in a group of colluders although it cannot be saidthis is complete encoding.

FIG. 11 shows a structural example of the encoding device 22 of theelectronic watermark analysis apparatus 2 according to this embodiment.

As shown in FIG. 11, the decoding device 22 includes an inner codedecoding device (residue-pair representation output circuit) 221 whichinputs a code (an embedded collusion-secure code or a changed code underthe collusion attack) read from contents as a detection target andoutputs a set of residue pairs obtained from each component code W(i),namely, r⁽⁻⁾ _(i), r⁽⁺⁾ _(i) (i=1 to M), and an outer code decodingdevice 222 which outputs a tracing result.

The inner code decoding device 221 will be first described.

FIG. 12 shows a structural example of the inner code decoding device221.

As shown in FIG. 12, the inner code decoding device 221 comprises a codedivider 2211, and a plurality (M) of residue-pair detectors 2212-1 to2212-M provided in accordance with the respective component codes W(1)to W(M).

FIG. 13 shows a processing example of the code divider 2211 of the innercode decoding device 221.

As shown in FIG. 13, the code divider 2211 inputs a detected code anddivides it into each component code (code word of the inner code) inaccordance with a code length of each predetermined component code.

Assuming that n=N(i) in the Γ₀(n, d) code, the code length of eachcomponent code W(i) is (N(i)−1)×d bits.

For example, like the above collusion attack example (example that theuser having the user ID=2 and the user having the user ID=3 haveperformed the collusion attack in FIGS. 8 and 9; in the Γ₀(n, d) code,the example of M=3, N(1)=3, N(2)=5, N(3)=7 and d=3), the following codeis detected:

010101 000000010100 000000101111111111

In this case, (assuming that a code length of a first componentcode=(3−1)×3=6, a code length of a second component code=(5−1)×3=12, anda code length of a third component code=(7−1)×3=18 are know in advance),this detected code is divided as follows:

Component code W(1)=010101

Component code W(2)=000000010111

Component code W(3)=000000101111111111

The respective divided component codes W(1) to W(M) are supplied to thecorresponding residue-pair detectors 2212-1 to 2212-M.

FIG. 14 shows a structural example of the y-th residue-pair detector2212-y corresponding to the y-th component code W(y) of the inner codedecoding device 221. It is to be noted that the i-th residue-pairdetector 2212-y is written as a typical example but all of theresidue-pair detectors 2212-1 to 2212-M have basically the samestructure.

As shown in FIG. 14, the residue-pair detector 2212-y includes aplurality of (K=N(y)−1) determination sections 22121-1 to 22121-Kcorresponding to the respective blocks B(0), . . . B(N(y)−2) in units ofd bits of the y-th component code W(y), a first boundary positiondetector 22122 which obtains a boundary position r⁽⁻⁾ _(y), and a secondboundary position detector 22123 which obtains a boundary position r⁽⁺⁾_(y).

The determination sections 22121-1 to 22121-K respectively determinewhether all of d bits are 0 or all of d bits are 1 or none of them isapplied (both 0 and 1 exist) with respect to a corresponding blockformed of d bits in a given component code W(y).

The first boundary position detector 22122 obtains the above-describedboundary position r⁽⁻⁾ _(y) by making reference to outputs of thedetermination sections 22121-1 to 22121-K from the determination section22121-1.

Likewise, the second boundary position detector 22123 obtains theboundary position r⁽⁺⁾ _(y) by making reference to outputs of thedetermination sections 22121-1 to 22121-K from the determination section22121-K.

A detected pair of r⁽⁻⁾ _(y) and r⁽⁺⁾ _(y) is a y-th residue pair.

For example, in the code example (M=3), the above-described W(1), W(2)and W(3) are respectively supplied to the first residue-pair detector2212-1, the second residue-pair detector 2212-2 and the thirdresidue-pair detector 2212-3, and the following can be respectivelyobtained:

The first residue pair {r⁽⁻⁾ ₁, r⁽⁺⁾ ₁ 1}={0, 2}

The second residue pair {r⁽⁻⁾ ₂, r⁽⁺⁾ ₂}={2, 3}

The third residue pair {r⁽⁻⁾ ₃, r⁽⁺⁾ ₃}={2, 3}

A set of the first residue par r⁽⁻⁾ ₁ and r⁽⁺⁾ ₁ to the M-th residuepair r⁽⁻⁾ _(M) and r⁽⁺⁾ _(M) obtained by the inner code decoding device221 in this manner, namely, the residue-pair representation is suppliedto the outer code decoding device 222.

Description will now be given as to the outer code decoding device 222of the decoding device 22 of the electronic watermark analysis apparatus2.

FIG. 15 shows a structural example of the outer code decoding device222.

As shown in FIG. 15, the outer code decoding device 222 includes acolluder group extraction circuit 2221, a colluder identificationinformation extraction circuit 2222 and a tracing result output circuit2223.

Here, in the tracing algorithm, a maximum collusion number when thecollusion attack is carried out is assumed as c. That is, considerationis given as to a case where the collusion attack is carried out by anarbitrary number a of colluders satisfying 2≦a≦c, i.e., copies ofcontents in which a sets of different identification information areembedded. It is to be noted that consideration is given provided thatthe user and the identification information have the one-to-onerelationship in this example. However, for example, when the user andthe identification information can have the one-to-many relationship andthe same colluder subjects two copies of the same contents in which twosets of identification information corresponding to him/herself areembedded to the collusion attack, consideration is given in accordancewith each copy of the contents having embedded therein sets of theidentification information whose number is different from the number ofcolluders.

An identification information group formed by the respective sets ofidentification information embedded in a plurality of copies of thecontents which is supplied when performing the collusion attack based ona plurality of the copies of the contents having a (2 □ a □ c) sets ofidentification information different from each other embedded thereinwill be referred to as a colluder group hereinafter. For instance, inthe example of FIGS. 8 and 9, since the identification information isequal to the user ID (=0 to 14), assuming that the maximum collusionnumber c equal to 3 (it is to be noted that a range of theidentification range or the maximum collusion number will actually takea larger number), the colluder groups are {0, 1}, {0, 2}, . . . {0, 14},{1, 1}, {1, 2}, . . . {1, 14}, {2, 3}, . . . {2, 14}, {3, 4}, . . . {11,14}, {12, 13}, {12, 14}, {13, 14} (these are collusions based on a=2),{0, 1,2}, {0, 1, 3}, . . . {0, 1, 14}, {0, 2, 3}, {0, 2, 4}, . . . {0,2, 14}, {0, 3, 4}, . . . {10, 11, 14}, {11, 12, 13}, {11, 12, 14}, {12,13, 14} (these are collusions based on a=3). The collusion attacked withthe maximum collusion number c which is not more than 3 is carried outby any of the above-described colluder groups.

Then, the colluder group extraction circuit 2221 inputs a set of theresidue pairs obtained from the respective component codes W(1) to W(M)of the detected code, namely, the following residue-pair representation:r⁽⁻¹⁾ ₁, r⁽⁺⁾ ₁, r⁽⁻⁾ ₂, r⁽⁻⁾ ₂, . . . r⁽⁻⁾ _(M), r⁽⁺⁾ _(M)

Also, it outputs a colluder group which matches with thisrepresentation.

Here, a given colluder group matches with the target residue-pairrepresentation in the following case. That is, the reference residuerepresentation (r⁽⁰⁾ ₁, r⁽⁰)₂, . . . r⁽⁰⁾ _(M)) corresponding to each ofa plurality of sets of identification information forming that colludergroup are compared with those corresponding the same component code W(i)(for example, comparing r^((o)) ₁ corresponding to each identificationinformation with respect to W(1)), and a maximum value of the referenceresidue in the component code W(i) is represented as max(r⁽⁰)_(i)) whilea minimum value is represented as min(r⁽⁰)_(i)). In this case, if r⁽⁻⁾_(1=min(r) ⁽⁰)_(i)), r⁽⁺⁾ ₁=max(r⁽⁰)_(i)), r⁽⁻⁾ ₂=min(r⁽⁰)₂), r⁽⁺⁾₂=max(r⁽⁰⁾ ₂), . . . r⁽⁻⁾ _(M)=min(r⁽⁰⁾ _(M)), r⁽⁺⁾ _(M)=max(r⁽⁰⁾ _(M))can be achieved with respect to all of target residue-pairrepresentations r⁽⁻⁾ ₁, r⁽⁺⁾ ₁, r⁽⁻⁾ ₂, r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M) and r⁽⁺⁾_(M), it can be determined that the given colluder group matches withthe target residue pair representation.

The number of the colluder groups obtained by the colluder groupextraction circuit 2221 can be one or more depending on the contents ofthe residue-pair expressions.

It is to be noted that the judgment of matching may be performed by theabove-described processing but it may be also carried out by preparing atable indicative of the relationship of the residue-pair representationand one or a plurality of the colluder groups matching with theresidue-pair representation and making reference to this table. Further,the identification information may be obtained by preparing a tableindicative of the relationship between the residue-pair representationand a plurality of sets of identification information forming onecolluder group matching with the residue-pair representation, or one ora plurality of sets of information existing commonly in a plurality ofthe colluder groups matching with the residue-pair representation, orinformation indicating that there is no such identification information,and making reference to this table. In this case, the following colluderidentification information extraction circuit 2222 is no longerrequired.

Meanwhile, when r⁽⁻⁾ ₁=r⁽⁺⁾ ₁, r⁽⁻⁾ ₂=r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M)=r⁽⁺⁾ _(M)can be achieved with respect to all residues of the suppliedresidue-pair representation, there has been no collusion attack. In thiscase, the identification information specified by the reference residuerepresentation r⁽⁰⁾ ₁, r⁽⁰⁾ ₂, . . . r⁽⁰⁾ _(M) by which r⁽⁻⁾ ₁=r⁽⁺⁾₁=r⁽⁰⁾ ₁, r⁽⁻⁾ ₂=r⁽⁺⁾ ₂=r⁽⁰⁾ ₂, r⁽⁻⁾ _(M)=r⁽⁺⁾ _(M)=r⁽⁰⁾ _(M) can beachieved is embedded in the contents. In this case, supplyinginformation indicating that there has been no collusion attack, orinformation indicating that there has been no collusion attack and thedetected identification information to the tracing result output circuit2223.

Incidentally, for example, at first, it is possible to determine whetherr⁽⁻⁾ ₁=r⁽⁺⁾ ₁, r⁽⁻⁾ ₂=r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M)=r⁽⁺⁾ _(M) can be achievedwith respect to all residues in the supplied residue pair expression,and the judgment on matching may be carried out if this cannot beachieved. Alternatively, for example, when the method of makingreference to the table is adopted as described above, the relationshipbetween the residue pair expression and the identification informationat that moment that r⁽⁻⁾ ₁=r⁽⁺⁾ ₁, r⁽⁻⁾ ₂=r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M)=r⁽⁺⁾_(M) can be achieved may be also registered in the table, and processingusing the table may be enabled irrespective of whether r⁽⁻⁾ ₁=r⁺⁾ ₁,r⁽⁻⁾ ₂=r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M)=r⁽⁺⁾ _(M) can be achieved.

Furthermore, when r⁽⁻⁾ ₁=r⁺⁾ ₁, r⁽⁻⁾ ₂=r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M)=r⁽⁺⁾ _(M)cannot be achieved for some reason and the colluder group matching withthe supplied residue-pair representation cannot be obtained, or whenr⁽⁻⁾ ₁=r⁺⁾ ₁, r⁽⁻⁾ ₂=r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M)=r⁽⁺⁾ _(M) can be achievedand the identification information which must be embedded in thecontents cannot be obtained, a result is an error. In this case, it issufficient to supply information indicative of the error to the tracingresult output circuit 2223.

It is to be noted that information required for the tracing algorithmsuch as a range of the identification information to be used, themaximum collusion number c, or the reference residue representationcorresponding to each identification information (or information used toobtain this reference residue representation (for example, N(i)) may beinput from the output side when carrying out tracing, or may be storedin advance. Incidentally, when the information used to obtain thereference residue representation corresponding to each identificationinformation is stored in advance, the reference residue representationmay be obtained every time tracing is carried out, or a once calculatedvalue may be stored.

Then, the colluder identification information expression portion 2222extracts identification information of the colluders who might haveactually participated in the collusion attack based on the colludergroup obtained by the colluder group extraction circuit 2221.

When only one colluder group is obtained by the colluder groupextraction circuit 2221, all the identification information included inthe colluder group is supplied to the tracing result output circuit 2223as identification information of the colluders. It is to be noted thatinformation which specifies the colluder group or the residue-pairrepresentation may be also output in addition to the obtainedidentification information.

When two or more colluder groups are obtained by the colluder groupextraction circuit 2221, only one or a plurality of sets ofidentification information which is commonly included in all theobtained colluder groups are supplied to the tracing result outputcircuit 2223 as the identification information of the colluders. It isto be noted that this identification information which is commonlyincluded in all the obtained colluder groups is referred to as commonidentification information.

Incidentally, if two or more colluder groups are obtained by thecolluder group extraction circuit 2221 and the common identificationinformation exists, information which specifies the colluder groups orthe residue-pair representation may be also output in addition to theobtained common identification information.

However, even if two or more colluder groups are obtained by thecolluder group extraction circuit 2221 but there is no commonidentification information, supplying information indicating that thereis no common identification information (or information which indicatesthat there is no common identification information and information whichspecifies the obtained colluder groups, or information which indicatesthat there is no common identification information and the obtainedresidue-pair representation) to the tracing result output circuit 223can suffice. Incidentally, as will be described later, when a case thatthe common identification information does not exist in a plurality ofthe obtained colluder groups is theoretically prevented from beinggenerated, the case that the common identification information does notexist in a plurality of the common colluder groups is generated only dueto an error.

The tracing result output circuit 2223 outputs a tracing resultincluding the information supplied from the colluder group extractioncircuit 2221 or the colluder identification information extractioncircuit 2222.

For example, the tracing result includes the identification informationof one or a plurality of colluders which might have participated in thecollusion attack when the collusion attack is detected, or informationindicating that the collusion attack is detected but the commonidentification information cannot be obtained (or information whichindicates the same and information which specifies the colluder group,or information indicating the same and the residue-pair representation),or information indicating that there has been no collusion attack (orinformation indicating that there has been no collusion attack and thedetected identification information) or information indicating that aresult is an error.

The tracing algorithm by the outer code decoding device 222 according tothis embodiment will now be described by using a simplified concreteexample in which small numeric figures are used.

At first, it is assumed that the number M of integers is 4 and N(1)=2,N(2)=3, (N)3=5, N(4)=7. Moreover, although N(1)×N(2)×N(3)×N(4)−1=210, 0to 5 in this expression are used as identification information (namely,user IDs as an example).

FIG. 16 shows a reference residue representation r⁽⁰⁾ ₁(=A(1)),r⁽⁰)₂(=A(2)), r⁽⁰)₃(=A(3)), r⁽⁰⁾ ₄(=A(4)) obtained with respect to eachidentification information (user IDs=0 to 5) in this example.

A collusion-secure code corresponding to the corresponding referenceresidue representation in FIG. 16 is embedded in each of copies ofcontents provided to users corresponding to the user IDs=0 to 5.

Here, as a result of carrying out the collusion attack by any two orthree of a copy of the contents having the user ID=0 embedded therein asthe identification information, a copy of the contents having the userID=1 embedded therein, a copy of the contents having the user ID=2embedded therein, a copy of the contents having the user ID=3 embeddedtherein, a copy of the contents having the user ID=4 embedded therein,and a copy of the contents having the user ID=5 embedded therein, such aresidue-pair representation as shown in FIG. 17A is obtained from thecopy of the contents generated by the collusion attack.

In this case, only the colluder group formed by the user ID=2 and theuser ID=3 such as shown in FIG. 17B matches with the residue-pairrepresentation illustrated in FIG. 17A (only the colluder group can beobtained).

Incidentally, in FIG. 17B, a circle indicates a minimum value in thereference residue of each user ID which has given the residue r⁽⁻⁾ _(i)with the component code i, and a square indicates a maximum value in thereference residue of each user ID which has given the residue r⁽⁺⁾ _(i)with the component code i.

When only the one colluder group is obtained in this manner, all theuser IDs forming the colluder group are the user IDs (identificationinformation) of the colluders which might have actually participated inthe collusion attack.

Further, as another example, it is assumed that such a residue-pairrepresentation as shown in FIG. 18A is obtained.

In this case, only the colluder group formed by the user ID=2, the userID=3 and the user ID=4 such as shown in FIG. 18B matches with theresidue-pair representation shown in FIG. 18A (only the colluder groupis obtained).

In FIG. 18B, it is to be noted that the circle and the square indicatethe same meanings as those in FIG. 17B. Although giving r⁽⁺⁾ ₁ indicatesthe reference residue of the ID=3 in FIG. 18B, it is the same as thereference residue of the ID=5. This point is also the same with respectto r⁽⁺⁾ ₂.

Since this is also the case that only one colluder group is obtained,all the user IDs forming the colluder group are the user IDs(identification information) of the colluders who might have actuallyparticipated in the collusion attack.

On the other hand, it is assumed that such a residue-pair representationas shown in FIG. 19A is obtained.

In this case, such a colluder group #1 formed by the user ID=0, the userID=1 and the user ID=4 as shown in FIG. 19B and a colluder group #2formed by the user ID=0, the user ID=3 and the user ID=4 as shown inFIG. 19C are suitable for the residue-pair representation in FIG. 19A(the two colluder groups can be obtained).

In FIGS. 19B and 19C, it is to be noted that the circle and the squareindicate the same meanings as those in FIG. 17B. However, in FIG. 19B,r⁽⁻⁾ ₁ is given as the reference residue of the ID=0, but it is also thesame as the reference residue of the ID=4. This point can be alsoapplied with respect to r⁽⁺⁾ ₂ in FIG. 19B and r⁽⁻⁾ ₁ and r⁽⁻⁾ ₂ in FIG.19(c).

When a plurality of colluder groups are obtained from the sameresidue-pair representation in this manner, it is hard to be aware ofwhich colluder group corresponds to the user IDs (identificationinformation) of the colluders who might have actually participated inthe collusion attack from only the residue-pair representation.

However, if the collusion attack is carried out with the colluder numberwhich is not more than the maximum colluder number, any one colludergroup of these colluders is a colluder group to be obtained.

Therefore, if there is the identification information which existscommonly in all of a plurality of the obtained colluder groups, at leastthat identification information (namely, the common identificationinformation) is the identification information of the colluders whomight have actually participated in the colluder attack.

Therefore, in this example, the user ID=0 and the user ID=4 which existcommonly in the colluder group #1 shown in FIG. 19B and the colludergroup #2 shown in FIG. 19C are the user IDs (identification information)of the colluders who might have actually participated in the collusionattack.

Even if it is impossible to be aware of all the colluders who might haveactually participated in the collusion attack, assuredly realizing evenone colluder possesses great significance for the pre-suppression ofillegal copy of digital contents or the post-relief when violation ofcopyright occurs.

Meanwhile, in case of allowing theoretical occurrence of a case where aplurality of colluder groups are obtained but there is no commonidentification information, occurrence of such a case means that noidentification information of colluders who might have actuallyparticipated in the collusion attack cannot be obtained at all. However,if the collusion attack has been carried out with the colluder numberwhich is not more than the maximum colluder number, any one colludergroup of these colluders is a colluder group to be obtained. Therefore,even in such a case, it can be considered that storing information of aplurality of the obtained colluder groups can serve as any reference.

However, it is desirable to suppress the cases that a plurality of thecolluder groups are obtained but there is no common identificationinformation as low as possible. Moreover, such cases can be reduced byany means.

For example, there is one method by which such a case as that aplurality of the colluder groups are obtained but there is no commonidentification information is searched and all or a part of theidentification information forming such colluder groups is preventedfrom being used.

In addition, for example, by determining an assumed maximum colludernumber c to be fixed, the above-described cases can be qualitativelyreduced by increasing the number M (=number of component codes) of theintegers or reducing a range of the identification information to beused. It is to be noted that the example shown in FIG. 16 corresponds tothe example where the above-described cases are all eliminated.

Additionally, the present inventor has discovered a method by which oneor a plurality of sets of common identification information(theoretically) necessarily exist by constraining a definite conditionbetween the maximum colluder number c, the number M (=number ofcomponent codes) of the integers and a range (determined as serialnumbers starting from 0) of the identification information to be usedwhen a plurality of colluder groups are obtained (that is, theabove-described cases are all eliminated in theory). This point will bedescribed later in detail.

Meanwhile, some procedure examples of the tracing algorithm according tothis embodiment will be described hereinafter. It is to be noted thatmany variations of the concrete procedure of the tracing algorithm arepossible and the procedure is not restricted to the following.

(Procedure 1)

FIG. 20 shows an example of the tracing algorithm of the outer codedecoding device 222 of the decoding device 22 according to thisembodiment.

It is to be noted that consideration is given as to a case where atleast one of r⁽⁻⁾ ₁=r⁽⁺⁾ ₁, r⁽⁻⁾ ₂=r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M)=r⁽⁺⁾ _(M)cannot be achieved in the given residue-pair representation here.

All the colluder groups matching with the given residue-pairrepresentation are first obtained (step S1).

If the number of the obtained colluder groups is 1 (step S2), all theuser IDs forming the obtained colluder group are acquired as the userIDs of the colluders (colluder IDs) (step S3), and the obtained colluderIDs are output (step S6).

In cases where the number of the obtained colluder groups is not lessthan 2 (step S2), if there is a user ID which exist commonly in all theobtained colluder groups (step S4), only (one or a plurality of) user IDwhich exists commonly in all the obtained colluder groups is acquired asthe colluder ID (step S5), and the obtained colluder ID is output (stepS6). On the other hand, if there is no user ID which exists commonly inall the obtained colluder groups (step S4), information indicating thatthe colluder ID is not obtained (or information which indicates the sameand specifies the colluder groups, or information which indicates thesame and the residue-pair representation) is output (step S7).

It is to be noted that a result is error if no colluder group isobtained at step S2.

FIG. 21 shows an example of the processing procedure of step S1.

It is to be noted that serial numbers from 0 are given to all the targetcolluder groups as the colluder group IDs.

At first, it is determined that i=0 (step S11).

Whether the colluder group i matches with the given residue-pairrepresentation is examined (step S12). Then, if the colluder group imatches with the residue-pair representation, the ID=0 of the colludergroup i is held (step S13).

Then, i is incremented by 1 (step S15), whether the colluder group imatches with the given residue-pair representation is examined (stepS12), and the ID=0 of the colluder group i is held if the colluder groupi matches with the given residue-pair representation (step S13).

The similar processing is thereafter carried out with respect to all thecolluder groups (steps S14 and S15).

Incidentally, if the total number of the user IDs is large, sinceperforming this processing to all the colluder groups requires largecost, this processing may be carried out to only restricted colludergroups depending on, e.g., a condition concerning the size of thecolluder group or a condition that the probability of breaking by thecurrent collusion attack can be considered to be very low.

PRODEDURE EXAMPLE 2

FIG. 22 shows another example of the tracing algorithm of the outer codedecoding device 222 of the decoding device 22 according to thisembodiment.

It is to be noted that consideration is given as to a case where atleast one of r⁽⁻⁾ ₁=r⁺⁾ ₁, r⁽⁻⁾ ₂=r⁽⁺⁾ ₂, . . . r⁽⁻⁾ _(M)=r⁽⁺⁾ _(M)cannot be achieved in the given residue-pair representation here.

One colluder group X suitable for the given residue-pair representationis first obtained (step S21).

Then, all the colluder groups Y (Y₁, Y₂, Y₃, . . . ) which include atleast the one same user ID as the user ID forming the obtained colludergroup X and are suitable for the given residue-pair representation areobtained (step S22).

If no colluder group is obtained (step S23), all the user IDs formingthe obtained colluder groups Y are determined as the colluder IDs (stepS24), and the obtained colluder IDs are output (step S27).

In cases where one or a plurality of the colluder groups Y are obtained(step S23), if there is a user ID which exists commonly in all theobtained colluder groups (X, Y₁, Y₂, Y₃, . . . ) (step S25), only one ora plurality of the user IDs which exist commonly in all the obtainedcolluder groups are determined as colluder IDs (step S26), and theobtained colluder IDs are output (step S27). On the other hand, if thereis no user ID which exists commonly in all the obtained colluder groups(X, Y₁, Y₂, Y₃, . . . ) (step S25), information indicating that nocolluder ID is obtained (or information which indicates the same andspecifies the colluder group, or information indicating the same and theresidue-pair representation) is output (step S28).

It is to be noted that a result is an error when no colluder group isobtained at step S21. Alternatively, a modification may be given in sucha manner that information indicating that no colluder ID is obtained isoutput and the processing is terminated when this error occurs.

FIG. 23 shows an example of the processing procedure of step S21, andFIG. 24 shows an example of the processing procedure of step S22.

It is to be noted that serial numbers starting from 0 are given to allthe target colluder groups as colluder group IDs.

i is incremented by 1 sequentially from i=0 (steps S31 and S34), whetherthe colluder group i matches with the residue-pair representation isexamined (step S32), and the colluder group i suitable for theresidue-pair representation which is found at first (step S33) isdetermined as a colluder group X (step S35).

Subsequently, i is incremented by 1 sequentially from the colluder groupi=X+1 following the colluder group X obtained by the procedure of FIG.23 (steps S41 and S45), and the following procedure is carried out withrespect to each colluder group i (step S44). It is to be noted that j=0(step S41). At step S34, when there is no colluder group correspondingto next i, an error is output and the processing is terminated.

When the colluder group i does not include the same user ID as the userID forming the colluder group X at all, the processing advances to thenext colluder group (steps S42 and S45).

When the colluder group i includes at least one user ID equal to theuser ID forming the colluder group i (step S42), whether the colludergroup i matches with the given residue pair is checked. If they arematched, the colluder group i is determined as a colluder group Y_(j)and j is incremented by 1 (step S43).

PROCEDURE EXAMPLE 3

FIGS. 25 and 26 show still another example of the tracing algorithm ofthe outer code decoding device 222 of the decoding device 22 accordingto this embodiment.

It is to be noted that FIGS. 25 and 26 show an example when the maximumcollusion number c=3.

The number of the residue pairs of the residue-pair representation isdetermined as d (M in the above description) (step S51).

With respect to all sets of identification information u, the number ofthe residue pairs that u is congruent to the maximum residue or theminimum residue between u and the residue-pair representation isdetermined as V(u) (step S52). However, if even one pair such that theresidue of u is larger than the maximum residue or smaller than theminimum residue exists, V(u)=0 is determined. Further, a set of theentire identification information where V(u) is not zero is determinedas U′ (step S52).

It is to be noted that g indicates the number of pairs that the maximumresidue and the minimum residue match in a set of the residue pairs.

Since it is required to create all of 2(d-g) residues included in theset of residue pairs from up to three sets of the identificationinformation joined to collusion, the identification information u1 that|V(u1)| residues is not less than 2(d-g)/3 is selected from U′ (stepS53).

Since it is required to create all of the remaining 2(d-g)−|V(u1)|residues obtained by subtracting |V(u1)| created by u1 from 2(d-g)residues included in the sets of the identification information by usingup to two sets of the identification information joined to thecollusion, the identification information u2 that |V(u2)−V(u1)| is notless than (2(d-g)−|V(u1)|)/2 is then selected from U′−{u1} (step S54).

If there is no appropriate u2 (step S55), the processing is returned tostep S53, and new u1 is selected.

Since it is required to create all of the remaining 2(d-g)−|V(u1)+V(u2)|residues obtained by subtracting |V(u1)+V(u2)| residues created by u1and u2 from 2(d-g) residues included in the sets of identificationinformation by using up to one set of identification information joinedto the collusion, the identification information u3 that|V(u3)−V(u1)−V(u2) is not less than (2(d-g)−|V(u1)+V(u2)|) is thenselected from U′−{u1, u2} (step S56).

When there is no appropriate u3 (step S57), the processing is returnedto step S54, and the new u2 is selected.

{u1, u2, u3} obtained at steps up to step S57 is the collusion whichprovides the given residue-pair representation. Thus, in order todetermine whether the respective elements u1, u2 and u3 are included inthe common inverse (common identification information), the processingfrom step S51 to step S57 is performed to each of U−{u1}, U−{u2} andU−{u3} instead of U, and whether the collusion which provides the givenresidue-pair representation exists is checked.

At step S58, if there is no collusion which provides the givenresidue-pair representation with respect to U−{u1} (step S59), all ofu1, u2, and u3 are determined as the colluder IDs and {u1, u2, u3} isoutput as a common inverse (step S61).

If there is a collusion which provides the given residue-pairrepresentation with respect to U−{ui} at step S58 (step S59), it isdetermined that such ui is not included in the common inverse (commonidentification information) and this ui is eliminated from {u1, u2, u3}. Also, the common inverse (common identification information) which isa remaining set is output as a collusion (step S60).

It is to be noted that FIGS. 25 and 26 show the case where the maximumcollusion number c=3, but the procedure when the maximum collusionnumber c is not less than 4 can be likewise carried out.

Incidentally, description has been mainly given as to the case where theidentification information=the user ID and the user ID is output as atracing result in the above, but the following many variations can becarried out with respect to the conformation of the tracing resultoutput circuit 2223 of the outer code decoding device 222 of thedecoding device 22 when the identification information≠the user ID.

-   -   The identification information is obtained as a tracing result,        a user ID is acquired from the obtained identification        information, and the user ID is output.    -   The identification information is obtained as a tracing result,        and the obtained identification information is output (a user ID        is acquired outside from the identification information        according to needs).    -   The identification information is obtained as a tracing result,        a copy ID is acquired from the obtained identification        information, a user ID is obtained from the copy ID, and the        user ID is output.    -   The identification information is obtained as a tracing result,        a copy ID is acquired from the obtained identification        information, and the copy ID is output (a user ID is obtained        outside from the copy ID according to needs).    -   The identification information is obtained as a tracing result,        and the obtained identification information is output (a copy ID        is acquired outside from the identification information        according to needs, and a user ID is obtained from the copy ID).

Further, it is also possible to adopt a method of determining only oneor a plurality of given sets of identification information as tracingtargets instead of determining all sets of identification informationwhich can be used or which are actually used as tracing targets. Forexample, when a specific colluder is known by any means, this method canbe applied to specify remaining colluders.

Meanwhile, as described above, when a plurality of colluder groupsmatching with the same residue-pair representation exist by constraininga definite condition between the maximum colluder number c, the number M(=the number of component codes) of the integers and a range of theidentification information to be used, at least one item of commonidentification information (identification information included commonlyin all of a plurality of colluder groups) can be caused to exist. Inthis case, even if a plurality of colluder groups matching with the sameresidue-pair representation exist, the identification information of atleast one colluder (for example, a user ID) can be obtained. One of suchconditions will now be described hereinafter.

One of such conditions can be expressed as follows by using the maximumcollusion number c, the number d of the component codes of the innercode (M in the above example) and a later-described identificationinformation stipulation parameter k.d>(c ²/2)(k−1)

The following shows that at least one item of common identificationinformation necessarily exists even if a plurality of colluder groupsmatching with the same residue-pair representation exist whend>(c²/2)(k−1) is achieved.

In the reference described in connection with the prior art, the outercode is stochastically constituted in the assumption that the residue isregarded as an independent probability variable. This embodimentprovides a method to combinatorially constitute the outer code withoutthis assumption. There is provided a concept of the tracing enablingexpression that the common collusion ID exists between them when aplurality of collusions which provide the same expression exist. Anecessary condition which enables tracing of the residue-pairrepresentation is obtained with respect to general c≧2. The property ofthe combinatorial outer code is formulated as a “tracing possibilityexpression”.

It is assumed that U is a set of identification information (forexample, user IDs) P is a given set and the following is given:

Map φ: POW(U)→P

<Definition 1 (Traceable Representation)>

It is assumed that CC ⊂ POW(U). When the following condition issatisfied, (φ, P, CC) is determined as a traceable representation of U.Here, POW(U) is a power set of U. $\begin{matrix}{\forall{p \in {P\left\lbrack {{\bigcup\limits_{\underset{{\phi{(C)}} = p}{{C \in {CC}},}}C} \neq {\{\}}}\Rightarrow{{\bigcap\limits_{\underset{{\phi{(C)}} = p}{{C \in {CC}},}}C} \neq {\{\}}} \right\rbrack}}} & (1)\end{matrix}$

<Definition 2 (Common Inverse)>

In the traceable representation of U (φ, P, CC), the common inverse ofp∈P is defined as follows. $\begin{matrix}{{T(p)} = {\bigcap\limits_{\underset{{\phi{(C)}} = p}{{C \in {CC}},}}C}} & (2)\end{matrix}$

It is to be noted that C corresponds to a given colluder group, pcorresponds to a residue-pair representation, and a common inverse T(p)corresponds to “identification information (common identificationinformation) which exists commonly in all of a plurality 0of colludergroups when a plurality of the colluder groups C suitable for the sameresidue-pair representation p exist”.

<Theorem 1>

The traceable representation (φ, P, CC) of U satisfying the followingcondition can be utilized as an outer code (identification information)of a c-secure code. $\begin{matrix}{c = {{\min\limits_{C \in \overset{\_}{CC}}\left\{ {C} \right\}} - 1}} & (3)\end{matrix}$

where, CC=POW(U)−C is determined.

It is to be noted that c is a maximum collusion number.

<Verification of Theorem 1>

It is assumed that an inner code (component code) outputs p P wherep=φ(C) by decoding a provided code word u. As to decoding in the outercode, it is determined that p is input and T(p) is output.

Based on the expression (3), if |C| □ c, C ∈ CC is achieved. At thismoment, T(p) ⊂ C is assured, and the c-secure code can be constituted.

Since the traceable representation has the combinatorial structure, anerror in the outer code is not generated.

As a concrete structure of the traceable representation, application tothe c-secure CRT code is assumed, and a structure based on aresidue-pair representation which is a set of residue pairs is given.There is provided a sufficient condition for realizing the residue-pairrepresentation to be the traceable representation.

<Condition 1>

It is assumed that u=Z/nZ, d relatively prime integers p₀, p_(d−1), andan integer k(<d) satisfy p0< . . . <p^(d−1) and |U|≦po0p₁. . . p^(k−1).

<Definition 3 (Residue-Pair Representation)>

The condition 1 is assumed. A set P is defined as follows.P = {((r₀⁽⁻⁾, r₀⁽⁺⁾), ⋯  , (r_(d − 1)⁽⁻⁾, r_(d − 1)⁽⁺⁾))|r_(i)⁽⁻⁾, r_(i)⁽⁺⁾ ∈ Z/p_(i)Z  Λ  r_(i)⁽⁻⁾ ≦ r_(i)⁽⁺⁾}

The map φ: POW(U)→P is defined as follows.ϕ(C) = ((r₀⁽⁻⁾, r₀⁽⁺⁾), ⋯  , (r_(d − 1)⁽⁻⁾, r_(d − 1)⁽⁺⁾))${r_{i}^{( - )}(C)} = {\min\limits_{u \in C}\left\{ {u\quad{mod}\quad p_{i}} \right\}}$${r_{i}^{( + )}(C)} = {\max\limits_{u \in C}\left\{ {u\quad{mod}\quad p_{i}} \right\}}$

It is to be noted that Z indicates a set of the entire integers.Further, nZ indicates a result of multiplying an absolute value of eachelement in the set of the entire integers by n. Therefore, U=Z/nZ={0, 1,2, 3, . . . n−1} can be obtained.

(φ, P) is referred to as a residue-pair representation of U, and p₀, . .. , p_(d−1) are referred to as its modulo and expressed as (p₀, . . .p_(k−1); p_(k), . . . p_(d−1)).

It is to be noted that p₀, . . . p_(d−1) correspond to N(1), . . . N(M)in the above example (d corresponds to M). Furthermore, φ(C) correspondsto r⁽⁻⁾ ₁, r⁽⁻⁾ ₂, . . . r⁽⁻⁾ _(M), r⁽⁺⁾ ₁, r⁽⁺⁾ ₂, . . . r⁽⁺⁾ _(M) inthe above example. Moreover, k constrains a range of the identificationinformation to be used to 0 to p₀×p₁× . . . ×p_(k−1)−1 (0 to N(1)×N(2)×. . . ×N(k)−1 in the above example) from the integers in the range of 0to p₀×p₁× . . . ×p_(d−1)−1 (0 to N(1)×N(2)× . . . ×N(M)−1 in the aboveexample). It is to be noted that k is referred to as an identificationinformation number stipulation parameter.

In case of c=2 and general k≧2:

<Theorem 2>

Condition 1 is assumed.

The residue-pair representation (φ, P) of U gives the traceablerepresentation (φ, P, CC) if the following is achieved.

CC={C∈POW(U)∥C|L≦2},

d≧2k−1

<Lemma 1>

In the residue-pair representation of U, it is assumed that C ∈ POW(U)and the following expression are achieved.

φ(C)=((r₀ ⁽⁻⁾, r₀ ⁽⁺⁾), . . . , (r_(d−1) ⁽⁻⁾, r_(d−1) ⁺⁾))

Then, the following expression can be obtained.

∀i ∈ Z/dZ∃u ∈ C[u≡r_(i) ⁽⁻mod p_(i)]

∀i ∈ Z/dZ∃u ∈ C[u≡r_(i) ⁽⁺mod p_(i)]

<Verification of Lemma 1>

With respect to each residue, it is self-apparent that at least oneoriginal C which generates each residue exists.

<Notation 1>

A distance between u and u′ E U is expressed as follows.δ(u, u″)≡|{i∈Z/dZ|u−u′ mod p_(i)}|

<Lemma 2>

Condition 1 is assumed. With respect to u, u′ ∈ C, the following can beachieved.

u=u′

δ(u, u′)=0

u≠u′

δ(u, u′)≧d−k−1

<Verification of Lemma 2>

As to u and u′, u=u′ is achieved based on Chinese remainder theorem whenk residues match between u and u′. At this moment, any other residuesall match between them.

<Verification of Theorem 2>

It is assumed that the original C of POW(U)={u1, u2}, C′={u1′, u2′}satisfies the following.φ(C)=φ(c′)  (4)C∩C′={}  (5)

It is to be noted that {} indicates an empty set. It is determined thatd′≡δ(u₁, u₂)=δ(u₁′, u₂′)≦d. The expression (4) corresponds to some(determined as m) modulo between u₁ and u₂, and means that u₁′ and u₂′can be obtained by exchanging residues having different values (see FIG.27). When trying to counterchange u₁ and u₁′ and counterchange U₂ andu₂′ by this exchange, the following can be achieved.δ(u ₁ , u ₁′)=δ(u ₂ , u ₂′)=mδ(u ₁ , u ₂′)=δ(u ₁ ′, u ₂)=d′−m

Based on the expression (5), u₁′≠u₁, u₁′≠u₂ can be obtained. The lemma 2is applied to this, and the following is the sufficient condition thatthe expressions (4) and (5) can be achieved.d−k+1≦m≦d′−d+k−1

As a result, when d >2k−1, the expressions (4) and (5) cannot beachieved, and the following expression can be obtained.φ(C)=φ(C′)

C∩C′≡{}

In addition, if one common original exits between C and C′, theremaining originals match with each other based on the lemma 1, and C=C′can be achieved. Therefore, the expression (1) is satisfied, and (φ, P,CC) is the traceable representation of U.

The c-secure CRT code having the above traceable representation as anouter code is still c=2, but it can be regarded as a code obtained bygeneralizing the 2-secure code in “J. Yoshida, K. Iwamura and H. Imai,“A coding method for collusion-secure watermark and less decline”, SCIS'98-10.2A, 1998.” from k=2 to k≧2.

In case of general c≧2 and general k≧2:

With respect to general c≧2 and k≧2, the sufficient condition whichenables the residue-pair representation to be the traceablerepresentation is provided.

<Theorem 3>

Condition 1 is assumed.

The residue-pair representation of U (φ, P) gives the traceablerepresentation of U (φ, P, CC) if the following is achieved.CC={C∈POW(U)∥C|≦c}  (6)d>c ²(k−1)/2  (7)

<Verification of Theorem 3>

A proposition PP(r) is defined as follows.∀C ₁ , . . . C _(r) ∈CC[φ(C ₁)= . . . =φ(C _(r))

C ₁ ∩ . . . ∩C _(r)≡{}]

A basal proposition is determined as PP(2), and verification is carriedout based on the mathematical induction which determines the step of theinduction as follows.∀r≧2[PP(r)

PP(r+1)]

Verification of the proposition PP(2):

It is assumed that the two collusions C₁={u₁, . . . u_(c)} and C2={u₁′,. . . u_(c)′} satisfy the following.φ(C ₁)=φ(C ₂)  (8)C₁∩C₂={}  (9)

With respect to the set of the residue pairs φ(C₁) relative to C₁, thefollowing is defined.Ω≡{i∈Z/dZ|r_(i) ⁽⁻⁾≠r_(i) ⁽⁺⁾}g≡d−|Ψ|

With respect to u ∈ U, the following is defined.V⁽⁻⁾(u) ≡ {(i, −)|i ∈ Ω, u ≡ r_(i)⁽⁻⁾ ≡ r⁽⁺⁾mod  p_(i)}V⁽⁺⁾(u) ≡ {(i, +)|i ∈ Ω, u ≡ r_(i)⁽⁺⁾ ≡ r⁽⁻⁾mod  p_(i)}V(u) ≡ V⁽⁻⁾(u)⋃v⁽⁺⁾(u),

Based on the expression (8), the following expression can be obtained.$\begin{matrix}{{\bigcup\limits_{i = 1}^{c}{V\left( u_{i} \right)}} = {\bigcup\limits_{i = 1}^{c}{V\left( u_{i}^{\prime} \right)}}} \\{= {\left\{ {\bigcup\limits_{i = 1}^{c}{V\left( u_{i} \right)}} \right\}\bigcap\left\{ {\bigcup\limits_{j = 1}^{c}{V\left( u_{j}^{\prime} \right)}} \right\}}}\end{matrix}$

In the above expression, the order on the both sides is taken.$\begin{matrix}\begin{matrix}{{2\left( {d - g} \right)} = {{\left\{ {\bigcup\limits_{i = 1}^{c}{V\left( u_{i} \right)}} \right\}\bigcap\left\{ {\bigcup\limits_{j = 1}^{c}{V\left( u_{j}^{\prime} \right)}} \right\}}}} \\{= {{\bigcup\limits_{i = 1}^{c}{\bigcup\limits_{j = 1}^{c}\left\{ {{V\left( u_{i} \right\}}\bigcap{V\left( u_{j}^{\prime} \right)}} \right\}}}}} \\{\leq {\sum\limits_{i = 1}^{c}{\sum\limits_{j = 1}^{c}{{{V\left( u_{i} \right)}\bigcap{V\left( u_{j}^{\prime} \right)}}}}}}\end{matrix} & (10)\end{matrix}$

Based on the expression (9), since ∀i, j[u_(i)≠u′_(j)], the followingexpression can be obtained based on the lemma 2.|V(u _(i))∩V(u′ _(j))|≦k−g−1  (11)

Therefore, the following expression is obtained by substituting theexpression (11) for the expression (10).d≦c ²(k−1)/2−(c ²/2−1)g

Therefore, when the condition d>c²(k−1)/2 assumed by the theorem issatisfied, the preposition PP(2) is achieved.

Verification of Preposition PP(r)

Preposition PP(r+1):

It is assumed that (r+1) collusions C_(i) (i=1, . . . r+1) satisfies thefollowing condition.∀i∈{1, . . . r+1} [C _(i) |≦c]φ(C ₁)= . . . =φ(C _(r+1))

Assume that P(r) holds but P(r+1) does not hold. Then, we can derive acontradiction as follows. Assume the following expression.$\begin{matrix}{{C^{\bigcap} \equiv {\bigcap\limits_{i = 1}^{r + 1}c_{i}}} = {\{\}}} & (12)\end{matrix}$

The following expression is achieved based on the basal prepositionP(r).$\forall{i \in {\left\{ {1,\cdots\quad,{r + 1}} \right\}\left\lbrack {{\overset{\_}{C}}_{i}^{\bigcap} \equiv {\bigcap\limits_{\underset{j \neq i}{{j = 1},}}^{r + 1}c_{j}} \neq {\{\}}} \right\rbrack}}$

Based on the expression (12), the following expression can be achieved.∀i∀j≠i[ C _(i) ^(∩)∩ C _(j) ^(∩)=C^(∩)={}]

Based on the above expression, the following expression can be achieved(see FIG. 28).∀i∈{1, . . . , r+1}∃ u _(i)∈ C _(i) ^(∩[i≠j u) _(i)≠ u _(j)]

Since ∀i≠[ u _(j) ∈C_(i)], the following expression can be achieved.C _(i) ⊃{ u _(j) |j=1, . . . i−1, i+1, . . . , r+1}

Therefore, r≦|C_(i)|≦c can be obtained.

In case of r>c, the expression (12) is apparently the contradiction.

In case of r=c, the following expression can be achieved with respect toeach i.C _(i) ={u _(j) |j=1, . . . , i−1, i+1, . . . , c }

The following expression can be achieved with respect to each j(≠i).$\begin{matrix}\begin{matrix}{{{V\left( {\overset{\_}{u}}_{j} \right)}} = {{{V\left( {\overset{\_}{u}}_{j} \right)}\bigcap{\bigcap\limits_{u \in C_{i}}{V(u)}}}}} \\{\leqq {c\left( {k - g - 1} \right)}}\end{matrix} & (13)\end{matrix}$

Therefore, the following expression can be achieved. $\begin{matrix}{{2\left( {d - g} \right)} = {{\bigcup\limits_{\underset{j \neq i}{{j = 1},}}^{c + 1}\left\{ {{V\left( {\overset{\_}{u}}_{j} \right)}\bigcap{\bigcup\limits_{u \in C_{i}}{V(u)}}} \right\}}}} \\{\leqq {c^{2}\left( {k - g - 1} \right)}}\end{matrix}$

Based on this, the following expression can be achieved. $\begin{matrix}{{{V\left( {\overset{\_}{u}}_{j\quad 1\quad\cdots\quad{jw}} \right)}} = {{{V\left( {\overset{\_}{u}}_{j\quad 1\quad\cdots\quad{jw}} \right)}\bigcap{\bigcup\limits_{u \in C_{ji}}{V(u)}}}}} \\{\leqq {c\left( {k - g - 1} \right)}}\end{matrix}$

Therefore, when the condition d>c²(k−1)/2 assumed by the theorem issatisfied, the expression (12) is the contradiction.

In case of r<c, as a point different from the discussion when r=c, as anoriginal of C_(i), there are the possibility that there is the originalwhich does not correspond to u _(j)(j≠i) defined above and doesn'tbelong to any C ^(∩) ^(i) (exception 1) and the possibility that two ormore originals of a given C ^(∩) _(i) exist (exception 2).

The original u _(j) . . . jw in the exception 1 does not belong tow(2≦w≦r) collusions C_(j1), . . . C_(jw)(j_(i) ∈{1, . . . r+1})collusions but belongs to the remaining (r−w+1) collusions. In thiscase, like the expression (13), an appropriate C_(ji) is selected, andthe following expression can be obtained. $\begin{matrix}{{{V\left( {\overset{\_}{u}}_{j\quad 1\quad\cdots\quad{jw}} \right)}} = {{{V\left( {\overset{\_}{u}}_{j\quad 1\quad\cdots\quad{jw}} \right)}\bigcap{\bigcup\limits_{u \in C_{ji}}{V(u)}}}}} \\{\leqq {c\left( {k - g - 1} \right)}}\end{matrix}$

Two or more originals in the exception 2 respectively satisfy theexpression (13). Therefore, even if the exception 1 or the exception 2exists, the same discussion as that in case of r=c can be developed.When the condition d>c²(k−1)/2 assumed by the theorem is satisfied, theexpression (12) is the contradiction. Based on this, the prepositionPP(r)

the preposition PP(r+1) is verified.

As described above, it is proved that at least one set of commonidentification information necessarily exists when d >(c²/2)(k−1) isachieved even if a plurality of colluder groups matching with the sameresidue-pair representation exist.

It is to be noted that the system can be formed by using a conditionobtained by modifying the condition d>(c²/2)(k−1). Since the abovecondition is not the necessary sufficient condition, it is possible toadopt a structure that the identification information of at least onecolluder (user ID) can be necessarily obtained by using a value smallerthan d or a value larger than k which satisfies the above condition evenif a plurality of colluder groups matching with the same residue-pairrepresentation exist (for instance, the example shown in FIG. 16 isobtained by modifying the above condition). Further, even if there occursome cases which cannot specify the identification information ofcolluders (user IDs) at all since a plurality of colluder groupsmatching with the same residue-pair representation exist and there is nouser ID which exists commonly in all of a plurality of the colludergroups, the system can be constituted with a shorter code by using thevalue obtained by modifying the above condition as long as such casescan be allowed.

Description will now be given as to a case where the present inventioncan be applied to a c-secure CRT code on a Dedekind ring.

In the present embodiment, the c-secure CRT code is obtained by applyingthe mathematical theorem called the Chinese remainder theorem and theidentification information is represented in the form of integers byusing integer modulo p₀, p₁, p_(d−1), but achievement of the Chineseremainder theorem is not restricted to a ring formed by integers. In thering called the Dedekind ring, it is well known that the Chineseremainder theorem is achieved. Therefore, the present invention can belikewise applied to the c-secure CRT code constituted on the Dedekindring. As the Dedekind ring other than a ring formed by integers, apolynomial ring over an infinite field is known. A structure of thec-secure CRT code on such a polynomial ring over the infinite field isdescribed in detail in a reference “M. Kim, J. Shikata, H. Murakami, andH. Imai, “Constructing c-secure codes using polynomials over finitefields”, SITA2001, W-B-1-3, 2001.”

Giving explanation in comparison with the ring formed by integers, themodulo p₀, p₁, . . . p_(d−1) are a set of relatively prime integers incase of the ring formed by integers, but they are the following set ofan irreducible polynomial having no common factor in case of thepolynomial ring.p₀(x), p₁(x), . . . p_(d−1)(x)

In place of the condition p₀<p₁< . . . <p_(d−1), the following conditionis used.deg(0)≦deg(1)≦ . . . deg(d−1)

Here, deg(i) is determined as an order of the polynomial p_(i)(x). Here,it is assumed that a coefficient of the polynomial is defined over aninfinite field F(q). In place of the condition |U|≦p₀×p₁× . . .×p_(k−1), the following condition is used.|U|≦q ^(deg(0)) ×q ^(deg(1)) × . . . ×q ^(deg(k−1))

U in this expression is determined as a set of monic polynomials of the(deg(0)+deg(1)+ . . . +deg(k−1)) or lower order.

When the magnitude relationship between the two polynomials is definedand the residue is determined as a residue in the meaning of polynomials(for example, when all the possible residues are associated withpositive integers starting from 0 in accordance with each polynomialp_(i)(x) which can be a modulo and the positive integers are processedas the reference residue in the modulo mentioned above), the c-secureCRT code is constituted over the polynomial ring in completely the sameway as the ring of the integers described above, thereby configuring thecombinatorial outer code.

A hardware structure and a software structure of this embodiment willnow be described hereinafter.

The electronic watermark analysis apparatus according to this embodimentcan be realized as hardware as well as software (program (for causing acomputer to execute predetermined means, or causing a computer tofunction as predetermined means, or causing a computer to realize apredetermined function)). Further, in case of realizing the electronicwatermark analysis apparatus in the form of software, a program can betransferred by using a recording medium, or a program can be distributedby using a communication medium. Of course, these can be also applied tothe electronic watermark embedding apparatus.

Furthermore, in case of forming the electronic watermark embeddingapparatus or the electronic watermark analysis apparatus as hardware, itcan be formed as a semiconductor apparatus.

Moreover, in case of forming the electronic watermark analysis apparatusto which the present invention is applied, or in case of creating anelectronic watermark analysis program, even if there are block ormodules having the same structure (or a structure which can be shared orused repeatedly), they all can be individually created. However, onlyone or an appropriate number of blocks or modules having the samestructure (or a structure which can be shared or used repeatedly) may beprepared, and they may be shared (used repeatedly) in each part in thealgorithm. In case of forming the electronic watermark embeddingapparatus or creating an electronic watermark embedding program, thiscan be also applied. In addition, when forming a system including theelectronic watermark embedding apparatus and the electronic watermarkanalysis apparatus, or when creating a system including the electronicwatermark embedding program and an electronic watermark detectionprogram, only one or an appropriate number of blocks or modules havingthe same structure (or a structure which can be shared or usedrepeatedly) may be prepared over the electronic watermark embeddingapparatus (or program) and the electronic watermark analysis apparatus(or program), and they may be shared (used repeatedly) in each part inthe algorithm.

Further, in case of forming the electronic watermark embedding apparatusor the electronic watermark analysis apparatus in the form of software,a multiprocessor may be utilized, parallel processing may be carriedout, and a speed of processing may be increased.

The structure described above can be achieved as not only a part of theapparatus but also one apparatus. For example, the decoding device 22 ofthe electronic watermark analysis apparatus 2 can be achieved as anintegral and inseparable constituent part configuring the electronicwatermark analysis apparatus 2, or a part, a module and the like formingthe electronic watermark analysis apparatus, or an independent decodingdevice.

Meanwhile, a watermark technique with respect to a digital watermark canbe applied to digital data as well as a matter having given informationor a material whose identity, homogeneity, economic merit or the likecannot be changed even if contents of a part of the information or thematerial are varied, and the present invention can be applied to suchinformation or a material as well as digital data.

For example, in the present invention, generating means and detectingmeans for a code to be embedded which are used in the electronicwatermark embedding apparatus/electronic watermark analysis apparatushaving the resistance to collusion attacks can be applied to tracing ofa source of a chemical compound or a chemical material which ischemically synthesized or biologically generated in an environmentindustrially managed. As a chemical compound, DNA, RNA, protein and anyother polymeric compounds have many redundancies enabling embedding of acode.

Description will now be given as to a case where the present inventionis applied as a watermark technique which provides means for embeddingindividual information (a user ID, a manufacturer ID, a seller ID, atransaction ID, information of combining these IDs and others) to a copyof a compound and specifying a source thereof.

A compound includes materials such as a plurality of atoms, moleculesand groups. For example, DNA or RNA has a predetermined array structureof an amino acid, and information can be represented by whether thisstructure is substituted by that of another amino acid. In one ofstructures of the compound, there is a case where the identify oreconomic merit of a work is not changed even if data is varied in theevent of digital contents. Likewise, even if a composition is changed,there is a case that its property/function and others such as aneffect/side effect/utility (in another point of view, an economic merit)are not changed in the purpose. Information which individuallyidentifies the copy can be embedded by a change within such an allowablerange.

In case of applying the electronic watermark according to the presentinvention to a compound, the watermark embedding apparatus relative tothe compound has a structure which changes bits in a predetermined partof digital contents in the watermark embedding apparatus with respect todigital contents being substituted by an apparatus which changes acomposition of a predetermined part of the compound. The code generatormay have the similar structure. Furthermore, the watermark analysisapparatus relative to a compound has a structure which detectsinformation used to read values of bits in a predetermined part indigital contents in order to detect watermark information in thewatermark analysis apparatus with respect to the digital contents beingsubstituted by an apparatus which analyzes a composition of apredetermined part of the compound in order to detect the watermarkinformation. The decoding device may have the similar structure. Thatis, only a device which can be an interface with a compound isdifferent, and other parts are the same as those of the watermarktechnique relative to digital contents in theory.

FIG. 29 shows a structural example of a watermark embedding apparatusrelative to a compound.

A code generator 3001 receives identification information to be embeddedin the compound and outputs a collusion-secure code. It may have thesame structure as the code generating device 11 illustrated in FIG. 2.

Structure converters 3002 to 3004 for a specific part respectivelyconvert a structure of the compound with respect to each bit of acollusion-secure code or a each set of bits in accordance with a valuethereof. The structure converter 3002 for a specific part processes aspecific part 1 of a fundamental compound, the structure converter 3003for a specific part processes a specific part 2 of the compound obtainedby processing the specific part 1, and the structure converter 3004 fora specific part processes a specific part 3 of the compound obtained byprocessing the specific parts 1 and 2 and generates a desired compoundhaving information embedded therein. Of course, the three structureconverters are illustrated in FIG. 29 but the number of these portionsis not restricted to three.

Here, conversion of the structure of the compound represents means forconverting into a compound having a different structure withoutdeteriorating a property, function or the like suitable for a purpose ofutilization of the compound and without causing a new adverse effect,side effect and others. Alternatively, when the compound is not a purecompound but a mixture, it may be means for changing its composition.

FIG. 30 shows another structural example of the watermark embeddingapparatus relative to the compound.

Although the structural example of FIG. 29 converts the structure of thealready synthesized compound later, the structural example of FIG. 30embeds a code when synthesizing the compound.

The code generator 3011 inputs identification information to be embeddedin the compound and generates a collusion-secure code. It may have thesame structure as that of the code generating device 11 of FIG. 2.

In this example, a synthetic material according to a value of each bitof a collusion-secure code or a each set of bits is prepared withrespect to such each bit or set in accordance with each syntheticmaterial. Synthetic material selectors 3012 to 3014 respectively selecta synthetic material of the compound according to a value of each bit ofa collusion-secure code or each set of bits with respect to such eachbit or set. Although the three synthetic material selection portions areshown in FIG. 30, the number of the portions is not restricted to three.

The synthesis portion 3015 combines synthetic materials selected by therespective synthetic material selectors 3012 to 3014 and generates adesired embedded compound.

Meanwhile, in a collusion attack to the compound, basically like thecollusion attack to digital contents, for example, the collusion attackis generated by changing a structure in a part where there is adifference by comparing structures of the compounds having a pluralityof sets of different identification information (for example, user IDs,manufacturer IDs, user IDs and manufacturer IDs, and others).

FIG. 31 shows a structural example of the watermark analysis apparatusrelative to a compound.

Structure reading circuits 3201 to 3201 for a specific part correspondto the structure converters 3002 to 3004 for a specific part shown inFIG. 29 or the synthetic material selectors 3012 to 3014 illustrated inFIG. 30, read a structure of a specific part in the compound, and outputit as information of a bit or a set of bits.

The decoder 3204 executes the tracing algorithm based on these bits andspecifies that there has been no collusion attack or specifies a user IDcorresponding to a collusion-secure code embedded in a copy which mighthave been used in the collusion attack. It may have the same structureas that of the decoding device 22 shown in FIG. 3.

Here, in regard to conversion means for a structure of a compound or areading means for a structure used in the present invention, a usabletechnique will be described. Description will be given as to an exampleof DNA.

In DNA, obtaining its base sequence is referred to as sequencing. As amethod of sequencing, there are known a shotgun method, a primer walkmethod, a nested deletion method and others. They are all methods basedon cloning of a gene. As to examples of a reagent/device/apparatus usedin sequencing, various kinds of methods have been proposed. For example,such a method is disclosed in “Cloning and Science” supervised by KakuWatanabe, edited by Masahiro Sugiura, Nouson Bunka Sha (1989) or “GenomeScience” edited by Katsuyuki Sakaki and others, Kyoritsu Shuppann(1999).

Likewise, in the example of DNA, structure conversion is enabled by agene introduction method used when introducing a new gene. As a geneintroducing method, there are known a chemical method such as a calciumphosphate sedimentation, a dextran method or a ribofection method, anelectroporation, and a microinjection method. For example, such a methodis disclosed in “Molecular Cell Technology” by Nobuyuki Haga, Colona Sha(2000).

Meanwhile, as an applicable example other than tracing of digitalcontents to a copy, there has been described an example of tracingrelative to a compound or a chemical material.

Assuming that such a tracing target is referred to as an “object”, thepresent invention can be applied to tracing of an object other thandigital contents, a compound or a chemical material. In this embodiment,as an example of electronic data that an object does not have a physicalentity (or electronic data transferred with a physical entity being usedas a medium), the digital contents have been explained. In thisembodiment, as a technique of embedding a collusion-secure codecorresponding to the identification information to the digital contents,the electronic watermark technique is used, but the present inventioncan be applied to any other cases where other techniques are used.Furthermore, in this embodiment, as an example that the object is amaterial, DNA, RNA or protein which includes gene information has beendescribed. In this embodiment, as a technique of writing acollusion-secure code corresponding to the identification information toDNA, RNA, protein and the like, description has been given as to theexample of carrying out such a technique by recombination of DNA orsubstitution of an amino acid array of protein. However, as describedabove, only the technique which is an interface with the object isdifferent, the identification information or the collusion-secure codecan be processed in the electronic information processing system, andthis processing is the same in any objects in theory. Therefore, theabove-described structure can be provided by only selecting thetechnique of embedding the collusion-secure code corresponding to theidentification information to the object in accordance with the object.

According to the embodiments of the present invention, theidentification information of the object used in the collusion attack tothe object having the identification information based on thecollusion-secure code embedded therein can be assuredly traced by usinga shorter code length.

Additional advantages and modifications will readily occur to thoseskilled in the art. Therefore, the present invention in its broaderaspects is not limited to the specific details, representative devices,and illustrated examples shown and described herein. Accordingly,various modifications may be made without departing from the spirit orscope of the general inventive concept as defined by the appended claimsand their equivalents. For example, the present invention can bepracticed as a computer readable recording medium in which a program forallowing the computer to function as predetermined means, allowing thecomputer to realize a predetermined function, or allowing the computerto conduct predetermined means.

The present invention can be also applied when using the “informationwhich represents the identification information” having a structuredifferent from that of the above-described collusion-secure code. Inthis case, for example, when obtaining the corresponding identificationinformation based on the information which represents the identificationinformation extracted from the object, the information which representsthe identification information extracted from a target object is input,and a collusion group (for example, a colluder group that can generatethe input information which represents the identification information bya collusion attack or that has a high probability of generation of thisinformation) having a fixed relationship with the input informationwhich represents the identification information is obtained fromcollusion groups formed of arbitrary combinations of the identificationinformation whose collusion number is not more than a predeterminedmaximum collusion number. Also, when a plurality of collusion groups areobtained, the identification information which exists commonly in aplurality of these colluder groups.

Incidentally, the structure described in the embodiment according to thepresent invention is an example, and any other structures are notexcluded. Different structures can be carried out, which can be obtainedby substituting a part of the illustrated structure by anotherstructure, omitting a part of the illustrated structure, adding anotherfunction or element to the illustrated structure or combining thesestructures. It is possible to adopt another structure logicallyequivalent to the exemplified structure, another structure including apart logically equivalent to the exemplified structure, anotherstructure logically equivalent to a primary part of the exemplifiedstructure. Furthermore, it is possible to employ another structure whichcan attain the similar or same purpose as that of the exemplifiedstructure, another structure which demonstrates the same or similaradvantage as that of the exemplified structure, and others.

Moreover, many variations of various constituent parts exemplified inthe embodiment according to the present invention can be appropriatelycombined and carried out.

The present invention is not restricted to the foregoing embodiment andcan be modified in many ways within a technical range thereof.

1. A method for analyzing items of identification information of anobject based on a code extracted from the object, the method comprising:detecting a first boundary position information representing a boundaryposition on a high-order bit side and second boundary positioninformation representing a boundary position on a low-order bit side ina changed part relative to a pattern of a bit string of each of aplurality of components forming the code extracted from the object;extracting, from colluder groups formed of combinations of apredetermined number of items of the identification information, asingle colluder group or colluder groups matching with a set of thedetected first and second boundary position information; extracting, ifthe single colluder group is extracted, items of the identificationinformation included in the single colluder group; extracting, if thecolluder groups are extracted, items of the identification informationincluded in all of the extracted colluder groups; and extracting acolluder group or colluder groups matching with a set of the first andsecond boundary position information detected, based on predeterminedinformation indicative of a relationship between a set of the first andsecond boundary position information and one or a plurality of colludergroups matching with the set of the first and second boundary positioninformation.
 2. The method according to claim 1, further comprising:outputting information indicative of no item of the identificationinformation when there is no item of the identification informationincluded in all of the extracted colluder groups.
 3. The methodaccording to claim 1, wherein the items of identification informationextracting comprises at least one of: detecting all of the items of theidentification information forming the colluder group matching with theset of the first and second boundary position information detected,based on predetermined information indicative of a relationship betweenthe set of the first and second boundary position information and all ofthe items of the identification information forming the colluder groupmatching with the set of the first and second boundary positioninformation; detecting items of the identification information includedin all of the extracted colluder groups matching with the set of thefirst and second boundary position information detected, based onpredetermined information indicative of a relationship between the setof the first and second boundary position information and items of theidentification information included in all of the extracted colludergroups matching with the set of the first and second boundary positioninformation; and detecting that there is no colluder group matching withthe set of the first and second boundary position information detectedby the detector, based on predetermined information indicative of arelationship between the set of the first and second boundary positioninformation and information indicating that there is no colluder groupmatching with the set of the first and second boundary positioninformation.
 4. The method according to claim 1, further comprising:detecting a colluder group or colluder groups matching with the set ofthe first and second boundary position information detected, based onthe set of the first and second boundary position information detectedand a set of third boundary position information representing a boundaryposition where a pattern of a bit string in each of a plurality ofcomponents forming a collusion-secure code corresponding to theidentification information varies.
 5. The method according to claim 1,further comprising: detecting a colluder group matching with the set ofthe first and second boundary position information detected; detectingcolluder groups including identification information included in thecolluder group detected and extracting colluder groups matching with theset of the first and second boundary position information detected amongthe colluder groups including the identification information; anddetecting identification information common to the colluder groupsextracted, and outputting the obtained identification information asinformation indicative of a colluder attacker relative to the object. 6.The method according to claim 1, further comprising: detecting acolluder group matching with the set of the first and second boundaryposition information detected; determining whether there is a colludergroup which does not include items of the identification informationcontained in the colluder group detected; matching with the set of thefirst and second boundary position information detected; and outputtingthe specific identification information as information indicative of acollusion attacker relative to the object when it is determined thatthere is no colluder group.
 7. A method for analyzing items ofidentification information of an object based on a code extracted fromthe object, the method comprising: detecting a first boundary positioninformation representing a boundary position on a high-order bit sideand second boundary position information representing a boundaryposition on a low-order bit side in a changed part relative to a patternof a bit string of each of a plurality of components forming the codeextracted from the object; extracting, from colluder groups formed ofcombinations of a predetermined number of items of the identificationinformation, a single colluder group or colluder groups matching with aset of the detected first and second boundary position information;extracting, if the single colluder group is extracted, items of theidentification information included in the single colluder group; andextracting, if the colluder groups are extracted, items of theidentification information included in all of the extracted colludergroups, wherein the extracting items of identification informationcomprises at least one of: detecting all of the items of theidentification information forming the colluder group matching with theset of first and second boundary position information based onpredetermined information indicative of a relationship between the setof first and second boundary position information and all of the itemsof the identification information forming the colluder group matchingwith the set of first and second boundary position information,detecting items of the identification information included in all of theextracted colluder groups matching with the set of first and secondboundary position information based on predetermined informationindicative of a relationship between the set of first and secondboundary position information and items of the identificationinformation included in all of the extracted colluder groups matchingwith the set of first and second boundary position information, anddetecting that there is no colluder group matching with the set of firstand second boundary position information, based on predeterminedinformation indicative of a relationship between the set of first andsecond boundary position information and information indicating thatthere is no colluder group matching with the set of first and secondboundary position information.
 8. The method according to claim 7,further comprising: outputting information indicative of no item of theidentification information when there is no item of the identificationinformation included in all of the extracted colluder groups. 9.(canceled)
 10. The method according to claim 7, further comprising:detecting a colluder group or colluder groups matching with the set ofthe first and second boundary position information detected, based onthe set of the first and second boundary position information detected,and a set of third boundary position information representing a boundaryposition where a pattern of a bit string in each of a plurality ofcomponents forming a collusion-secure code corresponding to theidentification information varies.
 11. The method according to claim 7,further comprising: detecting a colluder group matching with the set ofthe first and second boundary position information detected; detectingcolluder groups including identification information included in thecolluder group detected, and extracting colluder groups matching withthe set of the first and second boundary position information detectedamong the colluder groups including the identification information;detecting identification information common to the colluder groupsextracted; and outputting the obtained identification information asinformation indicative of a colluder attacker relative to the object.12. The method according to claim 7, further comprising: detecting acolluder group matching with the set of the first and second boundaryposition information detected; determining whether there is a colludergroup which does not include items of the identification informationcontained in the colluder group detected; matching with the set of thefirst and second boundary position information detected; and outputtingthe specific identification information as information indicative of acollusion attacker relative to the object when it is determined thatthere is no colluder group.
 13. A method for analyzing items ofidentification information of an object based on a code extracted fromthe object, the method comprising: detecting a first boundary positioninformation representing a boundary position on a high-order bit sideand second boundary position information representing a boundaryposition on a low-order bit side in a changed part relative to a patternof a bit string of each of a plurality of components forming the codeextracted from the object; extracting, from colluder groups formed ofcombinations of a predetermined number of items of the identificationinformation, a single colluder group or colluder groups matching with aset of first and second boundary position information; extracting, ifthe single colluder group is extracted, items of the identificationinformation included in the single colluder group; and extracting, ifthe colluder groups are extracted, items of the identificationinformation included in all of the extracted colluder groups, whereinthe detecting comprises detecting the first boundary positioninformation based on a change in pattern of the bit string when seenfrom a high-order bit side of the components, and detecting the secondboundary position information based on a change in pattern of the bitstring when seen from a low-order bit side of the components.
 14. Themethod according to claim 13, further comprising: outputting informationindicative of no item of the identification information, when there isno item of the identification information included in all of theextracted colluder groups.
 15. The method according to claim 13, furthercomprising: extracting a colluder group or colluder groups matching witha set of the first and second boundary position information detected,based on predetermined information indicative of a relationship betweena set of the first and second boundary position information and one or aplurality of colluder groups matching with the set of the first andsecond boundary position information.
 16. The method according to claim13, comprising at least one of the following steps: a first step ofdetecting all of the items of the identification information forming thecolluder group matching with the set of the first and second boundaryposition information detected based on predetermined informationindicative of a relationship between the set of the first and secondboundary position information and all of the items of the identificationinformation forming the colluder group matching with the set of thefirst and second boundary position information; a second step ofdetecting items of the identification information included in all of theextracted colluder groups matching with the set of the first and secondboundary position information detected, based on predeterminedinformation indicative of a relationship between the set of the firstand second boundary position information and items of the identificationinformation included in all of the extracted colluder groups matchingwith the set of the first and second boundary position information; anda third step of detecting that there is no colluder group matching withthe set of the first and second boundary position information detected,based on predetermined information indicative of a relationship betweenthe set of the first and second boundary position information andinformation indicating that there is no colluder group matching with theset of the first and second boundary position information.
 17. Themethod according to claim 13, further comprising: detecting a colludergroup or colluder groups matching with the set of the first and secondboundary position information detected, based on the set of the firstand second boundary position information detected, and a set of thirdboundary position information representing a boundary position where apattern of a bit string in each of a plurality of components forming acollusion-secure code corresponding to the identification informationvaries.
 18. The method according to claim 13, further comprising:detecting a colluder group matching with the set of the first and secondboundary position information detected; detecting colluder groupsincluding identification information included in the colluder groupdetected by the first unit and extracting colluder groups matching withthe set of the first and second boundary position information detectedamong the colluder groups including the identification information; anddetecting identification information common to the colluder groupsextracted by the second unit and outputs the obtained identificationinformation as information indicative of a colluder attacker relative tothe object.
 19. The method according to claim 13, further comprising:detecting a colluder group matching with the set of the first and secondboundary position information detected; determining whether there is acolluder group which does not include item of the identificationinformation contained in the colluder group detected; matching with theset of the first and second boundary position information detected; andoutputting the specific identification information as informationindicative of a collusion attacker relative to the object when thesecond unit determines that there is no colluder group.
 20. The methodaccording to claim 13, wherein each of a plurality of the components isa bit string including only continuous 1 or 0 having a predetermined bitnumber, the code includes a string of unit bits, and further includes acode obtained by concatenating a string of unit bits including only 1from a high-order bit side and subsequently concatenating a string ofunit bits including only 0, a code obtained by concatenating a string ofunit bits including only 0, and a code obtained by concatenating astring of unit bits including only 1; detecting, when there is a firstposition at which the string of unit bits including only 0 and thestring of unit bits including only 1 are adjacent to each other, as thefirst boundary position information is an integer value indicative ofthe first position; detecting, when there is a second position at whichthe string of unit bits including only 1 and the string of unit bitsincluding only 0 are adjacent to each other, as the second boundaryposition information an integer value indicative of the second position;detecting, when the string of unit bits at the most significant bit sidecomprises a string of unit bits comprising 0 and 1, as the firstboundary position information is an integer 0; and detecting, when thestring of unit bits at the most significant bit side comprises a stringof unit bits comprising 0 and 1, as the second boundary positioninformation a value obtained by subtracting 1 from the number of thestrings of the unit bits that the component has.
 21. A method foranalyzing items of identification information of an object based on acode extracted from the object, the method comprising: detecting a firstboundary position information representing a boundary position on ahigh-order bit side and second boundary position informationrepresenting a boundary position on a low-order bit side in a changedpart relative to a pattern of a bit string of each of a plurality ofcomponents forming the code extracted from the object; extracting, fromcolluder groups formed of combinations of a predetermined number ofitems of the identification information, a single colluder group orcolluder groups matching with a set of first and second boundaryposition information; extracting, if the single colluder group isextracted, items of the identification information included in thesingle colluder group; extracting, if the colluder groups are extracted,items of the identification information included in all of the extractedcolluder groups; detecting the first boundary position information basedon a change in pattern of the bit string when seen from a high-order bitside of the components; detecting the second boundary positioninformation based on a change in pattern of the bit string when seenfrom a low-order bit side of the components; generating acollusion-secure code corresponding to the identification information ofthe object, a restriction being provided between a maximum number ofcolluders defined by a tracing algorithm, number of components formingthe code, and a settable range of the identification information; andembedding the generated code in the object, wherein c is the maximumnumber, d is the number of components forming the code, p₀, p₁, . . .p_(d−1) are relatively prime integers (where 0<p₀<p₁< . . . <p_(d−1)), Vmod p_(i−i) is an integer value which determines a boundary position atwhich a pattern of a bit string in an i-th component relative toidentification information V varies, and a range of the identificationinformation are integers which fall within a range from 0 to p₀×p₁× . .. ×(p_(k−1)−1), the restriction between d, c and k is represented byd>(c²/2)×(k−1).
 22. The method according to claim 21, wherein the objectcomprises a chemical material product, and a component is changed toinsert the code into the object.
 23. A method for analyzing items ofidentification information of an object based on a code extracted fromthe object, the method comprising: detecting a first boundary positioninformation representing a boundary position on a high-order bit sideand second boundary position information representing a boundaryposition on a low-order bit side in a changed part relative to a patternof a bit string of each of a plurality of components forming the codeextracted from the object; extracting, from colluder groups formed ofcombinations of a predetermined number of items of the identificationinformation, a colluder group or colluder groups matching with a set ofthe first and second boundary position information detected; extractingitems of the identification information included in a single colludergroup if the colluder group extraction unit extracts the single colludergroup; extracting items of the identification information included inall of the extracted colluder groups if the colluder group extractionunit extracts colluder groups; detecting the first boundary positioninformation based on a change in pattern of the bit string when seenfrom a high-order bit side of the components; detecting the secondboundary position information based on a change in pattern of the bitstring when seen from a low-order bit side of the components; generatinga collusion-secure code corresponding to the identification informationof the object, a restriction being provided between a maximum number ofcolluders defined by a tracing algorithm, number of components formingthe code, and a settable range of the identification information; andembedding the generated code in the object, wherein an i-th component ofthe code comprises a bit string including continuous 1 or 0 having apredetermined bit number, and the code comprises a string of unit bitsobtained by concatenating a string of unit bits including only 1 whosenumber is the same as the integer value V mod p_(i−1) from a high-orderbit side and subsequently concatenating a string of unit bits includingonly 0 whose number is the same as a value obtained by subtracting 1 andthe integer value V mod p_(i−1) from the integer value p_(i−1).
 24. Themethod according to claim 23, wherein the object comprises a chemicalmaterial product, and a component is changed to insert the code into theobject.